Network Protocol Design and Evaluation

Similar documents
Lecture 3 SPIN and Promela

T Parallel and Distributed Systems (4 ECTS)

CS477 Formal Software Development Methods / 39

The SPIN Model Checker

What is SPIN(Simple Promela Interpreter) Elements of Promela. Material About SPIN. Basic Variables and Types. Typical Structure of Promela Model

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

CS477 Formal Software Development Methods / 32

The Spin Model Checker : Part I. Moonzoo Kim KAIST

What is SPIN(Simple Promela Interpreter) Material About SPIN. Elements of Promela. Basic Variables and Types. Typical Structure of Promela Model

Design of Internet Protocols:

Computer Aided Verification 2015 The SPIN model checker

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Spin: Overview of PROMELA

Applications of Formal Verification

Formal Specification and Verification

Software Engineering using Formal Methods

Applications of Formal Verification

Software Engineering using Formal Methods

Tool demonstration: Spin

SPIN: Part /614 Bug Catching: Automated Program Verification. Sagar Chaki November 12, Carnegie Mellon University

Spin: Overview of PROMELA

Applications of Formal Verification

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

A Tutorial on Model Checker SPIN

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

Design and Analysis of Distributed Interacting Systems

Hello World. Slides mostly a reproduction of Theo C. Ruys SPIN Beginners Tutorial April 23, Hello() print "Hello"

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

The Spin Model Checker : Part I/II

The SPIN Model Checker

Logic Model Checking

Network Protocol Design and Evaluation

Multi-Threaded System int x, y, r; int *p, *q, *z; int **a; EEC 421/521: Software Engineering. Thread Interleaving SPIN. Model Checking using SPIN

SPIN: Introduction and Examples

Patrick Trentin Formal Methods Lab Class, March 03, 2017

Distributed Systems Programming F29NM1 2. Promela I. Andrew Ireland. School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh

TOWARDS AUTOMATED VERIFICATION OF WEB SERVICES

Introduction to Model Checking

SPIN. Carla Ferreira.

Patrick Trentin Formal Methods Lab Class, Feb 26, 2016

TRIAL-EXAM Software Engineering using Formal Methods TDA293 (TDA292) / DIT270. Only dictionaries may be used. Other aids are not allowed!

THE MODEL CHECKER SPIN

TRIAL-EXAM Software Engineering using Formal Methods TDA293 (TDA292) / DIT270. Only dictionaries may be used. Other aids are not allowed!

Distributed Systems Programming (F21DS1) SPIN: Simple Promela INterpreter

T Parallel and Distributed Systems (4 ECTS)

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

EMBEDDED C CODE 17. SPIN Version 4 supports the inclusion of embedded C code into PROMELA models through the following fiv e new primitives:

INF5140: Specification and Verification of Parallel Systems

FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY

Using Model Checking with Symbolic Execution for the Verification of Data-Dependent Properties of MPI-Based Parallel Scientific Software

Automated Reasoning. Model Checking with SPIN (II)

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II

MINIX 3 Process Analysis

Model checking Timber program. Paweł Pietrzak

V2 2/4/ Ch Programming in C. Flow of Control. Flow of Control. Flow of control The order in which statements are executed

Model-Checking Concurrent Systems

Flow of Control. Flow of control The order in which statements are executed. Transfer of control

Using Spin to Help Teach Concurrent Programming

Formal Verification by Model Checking

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis I

Beginner s SPIN Tutorial

Building Graphical Promela Models using UPPAAL GUI

Ch 9: Control flow. Sequencers. Jumps. Jumps

SPIN s Promela to Java Compiler, with help from Stratego

Preface... (vii) CHAPTER 1 INTRODUCTION TO COMPUTERS

MP 6 Modeling in Promela and SPIN

Temporal Logic and Timed Automata

Model Requirements and JAVA Programs MVP 2 1

FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY

Blocking Non-blocking Caveat:

Formal Methods for Software Development

Mapping of UML Diagrams to Extended Petri Nets for Formal Verification

Writing an ANSI C Program Getting Ready to Program A First Program Variables, Expressions, and Assignments Initialization The Use of #define and

LTL Reasoning: How It Works

Fundamental Data Types. CSE 130: Introduction to Programming in C Stony Brook University

C Review. MaxMSP Developers Workshop Summer 2009 CNMAT

SWEN-220 Mathematical Models of Software. Concurrency in SPIN Interleaving

B.V. Patel Institute of Business Management, Computer & Information Technology, Uka Tarsadia University

Flow Control. CSC215 Lecture


Contents. Preface. Introduction. Introduction to C Programming

transformation of PROMELA models into Channel Systems,

There are algorithms, however, that need to execute statements in some other kind of ordering depending on certain conditions.

Deterministic Concurrency

Proving Dekker with SPIN and PROMELA

Applicant. LLC Service. LAN Segment

Application of Formal Verification to Software Security

Appendix. Grammar. A.1 Introduction. A.2 Keywords. There is no worse danger for a teacher than to teach words instead of things.

The Design of a Distributed Model Checking Algorithm for Spin

BLM2031 Structured Programming. Zeyneb KURT

Lecture 02 C FUNDAMENTALS

Model Viva Questions for Programming in C lab

Principles of Protocol Design MVP 10A 1

Logic Model Checking

Towards Promela verification using VerICS

SWEN-220 Mathematical Models of Software. Process Synchronization Critical Section & Semaphores

CIS 4930/6930: Principles of Cyber-Physical Systems

Enhancement of Feedback Congestion Control Mechanisms by Deploying Active Congestion Control

C-LANGUAGE CURRICULAM

Transcription:

Network Protocol Design and Evaluation 05 - Validation, Part I Stefan Rührup Summer 2009

Overview In the last lectures: Specification of protocols and data/message formats In this chapter: Building a validation model Verification with SPIN Example: Validation of the Alternating Bit Protocol 2

Validation and Model Checking Validation models for protocols: Description of procedure rules (partial description) Finite state model Prototype of an implementation Model checking Automated verification technique Does a protocol satisfy some predefined logical properties? 3

Model Checking Requirements Scope of classic model checking Design specification and validation Implementation Test and evaluation Deployment and maintenance 4

Model checking Customer or user requirements logic specification L Requirements elicitation Requirements analysis and negotiation Requirements documentation and specification Requirements validation validation model M model checking M L Negotiated and validated requirements [S. Leue, Design of Reactive Systems, Lecture Notes, 2001] 5

Model checking with SPIN Outline Describing validation models in PROMELA (Protocol / Process Meta Language) Simulation with SPIN (Simple Promela Interpreter) Adding correctness properties (assertions, temporal claims) Validation with SPIN: Building and executing a verifier 6

Promela & SPIN References Online resources Lot s of documents on www.spinroot.com, e.g. Tutorial: spinroot.com/spin/doc/spintutorial.pdf Manual: spinroot.com/spin/man/manual.html Books: G. J. Holzmann: The SPIN Model Checker: Primer and Reference Manual, Addison-Wesley, 2003 G. J. Holzmann, Design and Validation of Computer Protocols, Prentice Hall, 1991 7

PROMELA Process or Protocol Meta Language Description Language for describing validation models Application in reactive systems design (not only communication protocols) Basis for model checking with SPIN 8

Promela Model Abstract model focusing on procedure rules (i.e. the behavior of the protocol) based on the communicating finite state machine model process procedure rules message queues process procedure rules simplified data messages and channels not an implementation language, but a system description language 9

Promela Model Building blocks: Processes (asynchronous) Message channels (buffered and unbuffered) Synchronizing statements Structured data No clock, no floating point numbers, limited arithmetic functions [Holzmann 2003] 10

Example mtype = { msg0, msg1, ack0, ack1 ; chan to_sender = [2] of { mtype ; chan to_receiver = [2] of { mtype ; proctype Sender() { again: to_receiver!msg1; to_sender?ack1; to_receiver!msg0; to_sender?ack0; goto again type declaration channel declaration process declaration send statement receive statement proctype Receiver() { again: to_receiver?msg1; to_sender!ack1; to_receiver?msg0; to_sender!ack0; goto again init{ run Sender(); run Receiver(); init process 11

Elements of a PROMELA Model Type declarations Channel declarations Variable declarations Process declarations The init process (optional) mtype = { msg, ack chan StoR =... chan RtoS =... proctype Sender(chan in; chan out) { bit sendbit, rcvbit;... init { run Sender(RtoS, StoR);... 12

Elements of a PROMELA Model process A send channel C1 receive process B channel C2 run channel C3 process C init 13

Processes (1) Building block of a Promela Model defined by a proctype definition Processes contain a list of statements... and communicate via channels or via global variables parameters local variables body proctype Sender(chan in, out) { byte o,i; in?next(o); do ::in?msg(i) -> out!ack(o) ::in?err(i) -> out!nack(o) od I/O statement 14

Processes (2) Processes run concurrently They are created by the run statement at any point (within the init process or any other process)... or automatically by putting the active keyword in front of the proctype definition Several instances of the same type may be created number of instances to be created active[3] proctype Sender(...) {... initial process (similar to the main function in C) init { int pid = run Receiver(Rin, Rout) run returns the process ID 15

Execution constraints Optional: Priorities and Constraints Priorities change the probability of execution in random simulations (default = 1; higher number = higher priority). specified in proctype declarations or run-statements The provided clause constrains the execution with a global expression byte a; active proctype Sender(...) priority 2 provided (a > 1) {... 16

Data types and variables Basic data types: see table Arrays (one-dimensional) byte a[16]; Records typedef Msg { int n1; int n2 Msg m; Type bit bool byte chan mtype pid short int unsigned Range 0,1 false,true 0..255 1..255 1..255 0..255-2 15..2 15-1 -2 31..2 31-1 0..2 n -1 (1 n 32) Variables are declared as in C Default initialization: 0 [Holzmann 2003] 17

Statements and Executability A process contains a sequence of statements, which are assignments, e.g. a = b, or expressions, e.g. (a==b) Statements are either executable (enabled) or blocked. Assignments are always executable An expression is executable, if its evaluation is non-zero Examples: x >= 0 /* executable, if x is non-negative */ 3 < 2 /* always blocked */ x - 1 /* executable, if x!= 1 */ 18

Special Statements skip statement: do nothing, always executable run statement: only executable if a new process can be created goto statement: jump to a label, always executable assert statement: used to check certain properties, always executable 19

Control Flow Statements are separated by ; or -> Case selection if :: (choice1) -> statement1a; statement1b :: (choice2) -> statement2a; statement2b fi Repetition do :: statement1; :: (condition) -> break od Jumps: goto label 20

Case selection (1) guard statement if :: (choice1) -> statement1a; statement1b :: (choice2) -> statement2a; statement2b fi Only one sequence is executed required that the first statement is executable If more than one choice is executable, one sequence is chosen randomly and executed If no choice is executable, then the if-statement is blocked Here, the separator -> is used to separate guards from the rest of the statement sequence 21

Case selection (2) guard statement if :: (choice1) -> statement1a; statement1b :: (choice2) -> statement2a; statement2b :: else -> statement3 fi The else statement becomes executable, if all other guards are blocked. 22

Repetitions do :: (condition1) -> statement1a; statement1b :: (condition2) -> statement2a; statement2b :: (condition3) -> break od do-statements behave like if-statements, but with repeating the choice The do-statement (do-loop) is ended by break do :: (condition) -> statement :: else -> break od 23

Jumps and Labels Statements and control flow constructs can be preceded by a label Labels can be the destination of goto jumps As labels have to precede a statement, a jump to the end of the program can be realized by goto lastlabel;... lastlabel: skip There are special labels used in verification with the prefixes accept, end, and progress 24

Escape sequences { statement_sequence_1; unless { guard; statement_sequence_2 Statements of the first sequence are repeated until the first statement in the unless-block (guard statement) becomes executable 25

Timeouts The timeout statement becomes executable, if all other statements are blocked. Example: A process that sends a reset signal to a guard channel in case of a timeout [Holzmann 1991] proctype watchdog() { do :: timeout -> guard_channel!reset od 26

Channels Communication is modeled by sending and receving messages to and from channels Channels are FIFO message queues Declaration (with Initializer): chan name = [capacity] of {list of types Examples: chan a; /* basic declaration */ chan b[3]; /* array of channels */ chan c = [4] of {byte,int Channels have to be initialized before they can be used 27

Channels and message fields Channel initialization with message fields: chan c = [4] of {byte,int chan d = [1] of {mtype, short, bit... and the corresponding I/O statements: c!expr1,expr2 d!msg,var1,var2 d!msg(var1,var2) /* alternative notation */ By convention, the first field should specify the message type. 28

Message type definitions Messages types are declared using mtype: mtype = {msg, ack, error This defines and enumeration of three symbolic constants, which can be used later, e.g.: mtype n = msg; Messages can carry variables (if the channel allows it) byte data; out!msg(data) 29

Message passing Send statement: The statement ch!expr sends the value of the expression expr to the channel ch. The expression can be a message variable. It is executable, if the channel is not full. Receive statement: The statement ch?msg receives a message from a channel and stores it into a the variable msg. It is executable, if the channel is not empty. 30

Conditional receive The receive statement with constant expressions ch?const1,const2 removes the first message from the channel if the constants are matching with the message content. It is allowed to mix constant and variables: ch?const1,var 31

Sorted Send and Random Receive Sorted Send - Inserting messages in sorted numerical order (instead of FIFO): channel!!msg Random Receive - Retrieving random messages from a queue (instead of taking the first elemement out): channel??msg Random receive yields the first matching message 32

Channel polling The receive statement ch!<x,y> writes the message fields into the local variables x and y, but does not remove the message from the channel Testing without receiving: The statement ch![msg] is executed if there is a matching message, but the message is not removed from the channel. 33

Operations on Channels Operations on channels len(ch) /* number of messages stored in ch */ empty(ch) full(ch) Example: testing if there is space in the channel before sending a message:!full(ch) -> ch!msg 34

Race conditions Potential side-effects when using conditions, e.g. (len(ch) > 0) -> ch?msg ch?[msg] -> ch?msg In both cases, the second statement ch?msg is not necessarily executable after the first one! Other processes might access the channel in between. Solution: atomic { ch?[msg] -> ch?msg 35

Atomic sequences Sequences can be declared as atomic: Examples: atomic{ run A; run B atomic { ch?[msg] -> ch?msg The sequence may be non-deterministic Efficient alternative: d_step { sequence Deterministic indivisible sequence No jumps into or from this sequence 36

Example: Test and Set (1) Problem: What is the resulting state? byte state = 1; proctype A() { (state==1) -> state = state+1 proctype B() { (state==1) -> state = state-1 init { run A(); run B() 37

Example: Test and Set (2) Solution: atomic statements byte state = 1; proctype A() { atomic { (state==1) -> state = state+1 proctype B() { atomic { (state==1) -> state = state-1 init { run A(); run B() 38

Rendezvous Communication Rendezvous port (instead of asynchronous communication) chan port = [0] of {byte Zero-capacity channel, messages cannot be stored Example: #define msgtype 33 chan port = [0] of { byte, byte ; active proctype A() { port!msgtype(101); port!msgtype(102) /* not executable */ active proctype B() { byte state; port?msgtype(state) 39

Macros Promela models are processed by the C preprocessor, this allows to define Constants #define MAX 16 Macros #define dummy(a,b) (a+b) (De-)activation of code fragments #define ACTIVATED 1 #ifdef ACTIVATED #else #endif 40

Inline definitions Textual replacement Similar to macro definitions Cannot be used as an expression Inline sequence should not contain variable definitions inline swap(x,y) { c = x; x = y; y = c init { int a,b,c; init { int a,b,c; c = a; a = b; b = c swap(a,b) 41

Assertions Assertions are inserted into the program code Basic assertion: assert(expression) (there are also trace assertions) Assertions = correctness properties can be checked during simulation (other types of correctness properties require to run SPIN in validation mode) 42

Input and Output Output can be generated using printf() as in C. Input is possible by reading integer numbers from STDIN. Possibility of user-guided simulations Usually, the model should be closed 43

Example: ABP in Promela A simplified version of the Alternating Bit Protocol in Promela mtype = { msg0, msg1, ack0, ack1 ; chan to_sender = [2] of { mtype ; chan to_receiver = [2] of { mtype ; Sender q0!msg1 q1 to_receiver?ack0?ack1 q3!msg0 q2 queue active proctype Sender() { again: to_receiver!msg1; to_sender?ack1; to_receiver!msg0; to_sender?ack0; goto again queue Receiver q0!ack0?msg1!ack1 q1 to_sender q3?msg0 q2 active proctype Receiver() { again: to_receiver?msg1; to_sender!ack1; to_receiver?msg0; to_sender!ack0; goto again [Holzmann 2003] 44

What is this good for? Promela models can be simulated and automatically validated by the SPIN model checker SPIN (Simple Promela Interpreter) developed by Gerard J. Holzmann, Bell Labs open source Command line or Tcl/Tk GUI (XSpin) Download: http://spinroot.com/spin/src/ 45

Example: Simulating ABP with SPIN mtype = { msg0, msg1, ack0, ack1 ; chan to_sender = [2] of { mtype ; chan to_receiver = [2] of { mtype ; active proctype Sender() { again: to_receiver!msg1; to_sender?ack1; to_receiver!msg0; to_sender?ack0; goto again active proctype Receiver() { again: to_receiver?msg1; to_sender!ack1; to_receiver?msg0; to_sender!ack0; goto again [Holzmann 2003] > spin -c -u14 abp.pml proc 0 = Sender proc 1 = Receiver q\p 0 1 1 to_receiver!msg1 1. to_receiver?msg1 2. to_sender!ack1 2 to_sender?ack1 1 to_receiver!msg0 1. to_receiver?msg0 2. to_sender!ack0 2 to_sender?ack0 1 to_receiver!msg1 1. to_receiver?msg1 2. to_sender!ack1 2 to_sender?ack1 ------------- depth-limit reached ------------- final state: ------------- #processes: 2 queue 2 (to_sender): queue 1 (to_receiver): [msg0] 15: proc 1 (Receiver) line 21 "abp.pml" (state 3) 15: proc 0 (Sender) line 12 "abp.pml" (state 4) 2 processes created 46

Goodies: Generating MSCs mtype = { msg0, msg1, ack0, ack1 ; chan to_sender = [2] of { mtype ; chan to_receiver = [2] of { mtype ; active proctype Sender() { again: to_receiver!msg1; to_sender?ack1; to_receiver!msg0; to_sender?ack0; goto again active proctype Receiver() { again: to_receiver?msg1; to_sender!ack1; to_receiver?msg0; to_sender!ack0; goto again [Holzmann 2003] > spin -M -u steps 5 5;!'$>'( -;<'2'#='( -?*@('2'#='(A3)B- /?*@('2'#='(C3)B- E +?*@('2'#='(A3)B5 F?*@('2'#='(C3)B5.?*@)'$>'(A72D5 6?*@)'$>'(C72D5 0?*@)'$>'(A72D-?*@)'$>'(C72D- -5?*@('2'#='(A3)B- -/?*@('2'#='(C3)B- -0?*@)'$>'(A72D- -E?*@)'$>'(C72D- -+?*@('2'#='(A3)B5 -F?*@('2'#='(C3)B5 -.?*@)'$>'(A72D5-6?*@)'$>'(C72D5 47

Goodies: Generating a state chart mtype = { msg0, msg1, ack0, ack1 ; chan to_sender = [2] of { mtype ; chan to_receiver = [2] of { mtype ; active proctype Sender() { again: to_receiver!msg1; to_sender?ack1; to_receiver!msg0; to_sender?ack0; goto again active proctype Receiver() { again: to_receiver?msg1; to_sender!ack1; to_receiver?msg0; to_sender!ack0; goto again [Holzmann 2003] XSPIN: 1. Run -> View state automaton 2. Select process to_receiver!msg1 [(2,2)] line 10 line 11 state 1 line 9 is a loopstate to_sender?ack1 [(1,3)] to_sender?ack0 [(1,3)] to_receiver!msg0 [(2,2)] line 12 48

Lessons learned A validation model is an abstract system model Models are no timed. Any possible sequence of process interaction will be checked. We describe validation models in Promela, based on communicating (extended) finite state machines Special constructs in Promela: Statements and their executability 49

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback