Lecture 3 SPIN and Promela

Similar documents
What is SPIN(Simple Promela Interpreter) Elements of Promela. Material About SPIN. Basic Variables and Types. Typical Structure of Promela Model

What is SPIN(Simple Promela Interpreter) Material About SPIN. Elements of Promela. Basic Variables and Types. Typical Structure of Promela Model

CS477 Formal Software Development Methods / 39

Network Protocol Design and Evaluation

CS477 Formal Software Development Methods / 32

Computer Aided Verification 2015 The SPIN model checker

A Tutorial on Model Checker SPIN

Design of Internet Protocols:

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

The SPIN Model Checker

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Software Engineering using Formal Methods

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Formal Specification and Verification

Hello World. Slides mostly a reproduction of Theo C. Ruys SPIN Beginners Tutorial April 23, Hello() print "Hello"

Spin: Overview of PROMELA

Software Engineering using Formal Methods

T Parallel and Distributed Systems (4 ECTS)

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

Tool demonstration: Spin

Applications of Formal Verification

Applications of Formal Verification

Applications of Formal Verification

Spin: Overview of PROMELA

Design and Analysis of Distributed Interacting Systems

Patrick Trentin Formal Methods Lab Class, March 03, 2017

Patrick Trentin Formal Methods Lab Class, Feb 26, 2016

Network Protocol Design and Evaluation

Distributed Systems Programming F29NM1 2. Promela I. Andrew Ireland. School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh

The Spin Model Checker : Part I/II

Introduction to Model Checking

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

SPIN: Part /614 Bug Catching: Automated Program Verification. Sagar Chaki November 12, Carnegie Mellon University

Logic Model Checking

The Spin Model Checker : Part I. Moonzoo Kim KAIST

The SPIN Model Checker

Formal Verification by Model Checking

Beginner s SPIN Tutorial

SPIN: Introduction and Examples

SPIN. Carla Ferreira.

Multi-Threaded System int x, y, r; int *p, *q, *z; int **a; EEC 421/521: Software Engineering. Thread Interleaving SPIN. Model Checking using SPIN

THE MODEL CHECKER SPIN

SWEN-220 Mathematical Models of Software. Process Synchronization Critical Section & Semaphores

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

Model checking Timber program. Paweł Pietrzak

T Parallel and Distributed Systems (4 ECTS)

Using Model Checking with Symbolic Execution for the Verification of Data-Dependent Properties of MPI-Based Parallel Scientific Software

SPIN, PETERSON AND BAKERY LOCKS

SWEN-220 Mathematical Models of Software. Concurrency in SPIN Interleaving

Ch 9: Control flow. Sequencers. Jumps. Jumps

transformation of PROMELA models into Channel Systems,

Chapter 6: Process Synchronization

Blocking Non-blocking Caveat:

Automated Reasoning. Model Checking with SPIN (II)

Distributed Systems Programming (F21DS1) SPIN: Simple Promela INterpreter

TOWARDS AUTOMATED VERIFICATION OF WEB SERVICES

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II

Building Graphical Promela Models using UPPAAL GUI

Concurrency: Mutual Exclusion and

LTL Reasoning: How It Works

Using Spin to Help Teach Concurrent Programming

Linear Temporal Logic. Model Checking and. Based on slides developed by Natasha Sharygina. Carnegie Mellon University.

INF5140: Specification and Verification of Parallel Systems

The Design of a Distributed Model Checking Algorithm for Spin

Formal Methods for Software Development

Principles of Protocol Design MVP 10A 1

Models of concurrency & synchronization algorithms

Model Requirements and JAVA Programs MVP 2 1

Mapping of UML Diagrams to Extended Petri Nets for Formal Verification

EMBEDDED C CODE 17. SPIN Version 4 supports the inclusion of embedded C code into PROMELA models through the following fiv e new primitives:


Concurrency: Mutual Exclusion and Synchronization

Model-Checking Concurrent Systems

G52CON: Concepts of Concurrency

Multitasking / Multithreading system Supports multiple tasks

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Modelling Without a Modelling Language

A Verification Approach for GALS Integration of Synchronous Components

Formal Specification and Verification

FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY

Generating Code from Event-B Using an Intermediate Specification Notation

Concept of a process

Principles of Protocol Design. MVP10 plan. What is a protocol? Typical SPIN applications. The three parts of a protocol description

Process Management And Synchronization

CS3733: Operating Systems

Real Time & Embedded Systems. Final Exam - Review

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis I

these developments has been in the field of formal methods. Such methods, typically given by a

Testing Concurrent Programs: Model Checking SPIN. Bengt Jonsson

A Deterministic Concurrent Language for Embedded Systems

Towards Promela verification using VerICS

CS4411 Intro. to Operating Systems Exam 1 Fall points 10 pages

A Deterministic Concurrent Language for Embedded Systems

Using Model Checking to Debug Device Firmware

Design for Verification for Asynchronously Communicating Web Services

Analyzing Singularity Channel Contracts

A Practical approach on Model checking with Modex and Spin

Temporal Logic and Timed Automata

Dr. D. M. Akbar Hussain DE5 Department of Electronic Systems

Chapter 6: Synchronization. Chapter 6: Synchronization. 6.1 Background. Part Three - Process Coordination. Consumer. Producer. 6.

Transcription:

Lecture 3 SPIN and Promela 1

What is SPIN(Simple Promela INterpreter) A tool for analyzing mels of concurrent systems Mels described in Promela Language with concurrent processes Communication via shared variables and channels Analysis by Simulation Mel checking Several optimizations implemented most efficient tool for explicit-state mel checking 2

Material About SPIN SPIN Home page http://spinroot.com/spin/ Contains manuals, reference material, and tutorial Books about SPIN and its use G.J. Holzmann SPIN MODEL CHECKER Primer and Reference Manual, G.J. Holzmann Design and Validation of Computer Protocols,, Prentice Hall 1991, older book, available on the Internet M. Ben-Ari Principles of Concurrent and Distributed Programming Tutorials, etc. linked from SPIN Home page 3

Elements of Promela Language for defining finite-state transition systems Data types with precisely defined finite mains Bits, integers, arrays, messages Processes, which can be dynamically created Communication via global variables or communication channels Simple control constructs 4

Transition System Semantics of Promela Each Promela mel defines a transition system State consists of Valuation of global variables and communication channels Local state of each created process Transitions defined by Statements in the bies of processes Each process denotes an action system or process automaton 5

Transition System Semantics: Illustration bool y1, y2; int t; active proctype P1() { l0: y1 = 1; l1: t = 2; l2: (y2 == 0 t == 1); l3: y1 = 0 ; goto l0 active proctype P2() { m0: y2 = 1; m1: t = 1; m2: (y1 == 0 t == 2); m3: y2 = 0 ; goto m0 6

Transition System Semantics: Illustration bool y1, y2; int t; active proctype P1() { l0: y1 = 1; l1: t = 2; l2: (y2 == 0 t == 1); l3: y1 = 0 ; goto l0 active proctype P2() { m0: y2 = 1; m1: t = 1; m2: (y1 == 0 t == 2); m3: y2 = 0 ; goto m0 P1: l0 y1 = 0 l3 y1 = 1 l1 t = 2 (y2==0 t==1) l2 7

Transition System Semantics: Illustration bool y1, y2; int t; active proctype P1() { l0: y1 = 1; l1: t = 2; l2: (y2 == 0 t == 1); l3: y1 = 0 ; goto l0 active proctype P2() { m0: y2 = 1; m1: t = 1; m2: (y1 == 0 t == 2); m3: y2 = 0 ; goto m0 P1: l0 y1 = 0 l3 P2: y2 = 0 m0 m3 y1 = 1 l1 t = 2 (y2==0 t==1) l2 y2 = 1 m1 t = 1 (y1==0 t==2) m2 8

Typical Structure of Promela Mel In its basic form, Promela mel consists of type declarations channel declarations variable declarations process declarations init process mtype = {msg, ack; chan tos =... chan tor =... bool flag; proctype Sender () {... proctype Receiver () {... init {... 9

Basic Variables and Types Basic types Array declaration Array access bit [0.. 1] bool [0.. 1] byte [0.. 255] short [-2 15.. 2 15-1] int [-2 31.. 2 31-1] byte anarray[24]; anarray[v] = anarray[3]; Records type definition Record declaration Record access typedef Msg{ byte a[3], b; chan p Msg astruct astruct.a[1] Enumeration type f. messages mtype = {ack, nak, err, next 10

Expressions Operators + - * / % ^ > >= < <= ==!=! && & - >> << ++ -- Conditional expression (v >= 0 -> v : -v) Operations on channel identifers len(qid) empty(qid) nempty(qid) full(qid) nfull(qid) 11

Basic Statements Expressions Assignments No-Op (y == false x > 9) y = 34 % 3 anarray[0] = anarray[3] * anarray[(v+2)/4] skip Goto Print (only in simulation) goto label printf All basic statements are either executable (enabled) or blocked (disabled) (of course, depending on values of variables, etc.) Expressions are also statements THIS IS IMPORTANT Blocked if evaluated to 0, otherwise executable In this way, expressions/statements can be used as guards 12

Compound Statements Sequential composition Selection test == 1 ; state = state + 1 test == 1 -> state = state + 1 if :: (a == b) -> state = state + 1 :: (a!= b) -> state = state 1 fi equivalent if :: (a == b) -> state = state + 1 :: else -> state = state 1 fi Selection can be nonderministic if :: input? offhook :: (a == b) -> b = 3 ; goto onhook :: output! wakeup :: b = 3 /*any statement can be guard*/ fi 13

Compound Statements (ctd.) Repetition :: (m > n) -> m = m - n :: (m < n) -> n = n m :: (m == n) -> break ; printf ( GCD = %d\n, m) Note ; (semicolon) is a statement separator (not a statement terminator as in C) E.g., no need to have ; after clauses in - statements (but es not harm either) 14

Processes and process types Name Local variable declarations proctype Sender(chan in; chan out) { bit sndb, rcvb; formal parameters :: out! data(sndb) -> in? ack(rcvb); if :: sndb == rcvb > sndb = 1-sndB :: else -> skip fi Process types defined by proctype definitions A process type may be instantiated (to a process) several times Each process has its local state (pc, local variables) Processes execute concurrently, by interleaving 15

Process instantiations Processes are created by run statement/expression run returns process id proctype Foo(byte x) {... Processes execute their first statement some time after creation init { int pid = run Foo(2); run Foo(27) Alternative mechanism: Processes can be statically created at initialization time (no formal parameters allowed) active[3] proctype Bar(){... 16

Communication Channels Channels used for passing messages Asynchronous (buffered, default is FIFO) Synchronous (rendez-vous) chan qid = [4] of {mtype, int, byte chan synch[3] = [0] of {mtype, int name capacity types of messages Sending Receiving qid! var1, const, var qid! err(const, var) qid? err(const, var) matched assigned Non-mifying receive qid? [err, const, var] Sorted send/receive (inserts lexicographically, receives any element) qid!! err(const, var) qid?? err(const, var) 17

Communication Channels (ctd.) Declaring synchronous (rendez-vous) channel w. capacity 0 chan synch[3] = [0] of {mtype, int 18

Peterson-Fischer Mutual Exclusion #define true 1 #define false 0 #define turn1 false #define turn2 true bool y1, y2, t; byte mutex = 0; proctype P2() { m1: y2 = true; m2: t = turn1; m3: (y1 == false t == turn2) ; m4: /* critical section */ y2 = false ; goto m1 proctype P1() { l1: y1 = true; l2: t = turn2; l3: (y2 == false t == turn1) ; l4: /* critical section */ y1 = false ; goto l1 init { atomic { run P1() ; run P2() 19

Peterson-Fischer Mutual Exclusion #define true 1 #define false 0 #define turn1 false #define turn2 true bool y1, y2, t; byte mutex = 0; proctype P1() { l1: y1 = true; l2: t = turn2; l3: (y2 == false t == turn1) ; mutex++ ; assert (mutex <= 1) ; l4: /* critical section */ mutex -- ; y1 = false ; goto l1 proctype P2() { m1: y2 = true; m2: t = turn1; m3: (y1 == false t == turn2) ; mutex++ ; assert (mutex <= 1) ; m4: /* critical section */ mutex-- ; y2 = false ; goto m1 init { atomic { run P1() ; run P2() 20

Checking by monitor #define true 1 #define false 0 #define turn1 false #define turn2 true bool y1, y2, t; byte mutex = 0; proctype P1() { l1: y1 = true; l2: t = turn2; l3: (y2 == false t == turn1) ; mutex++ ; l4: /* critical section */ mutex -- ; atomic{ y1 = false ; goto l1 proctype P2() { m1: y2 = true; m2: t = turn1; m3: (y1 == false t == turn2) ; mutex++ ; m4: /* critical section */ mutex-- ; atomic{ y2 = false ; goto m1 active proctype monitor() { assert (mutex <= 1) init { atomic { run P1() ; run P2() 21

Checking deadlocks #define true 1 #define false 0 #define turn1 false #define turn2 true bool y1, y2, t; byte mutex = 0; proctype P1() { l1: y1 = true; l2: skip ; l3: (y2 == false) ; mutex++ ; l4: /* critical section */ mutex -- ; y1 = false ; goto l1 proctype P2() { m1: y2 = true; m2: skip ; m3: (y1 == false) ; mutex++ ; m4: /* critical section */ mutex-- ; y2 = false ; goto m1 active proctype monitor() { assert (mutex <= 1) init { atomic { run P1() ; run P2() 22

Problem with Atomicity Only basic statements are atomic Q: What is the final value of state? byte state = 1; proctype A() { state == 1 -> state++ proctype B() { state == 1 -> state-- init { run A() ; run B() 23

Solution: atomic-construct A process whose control is inside atomic{ executes without being interrupted by other processes NOTE: Make sure that such a sequence cannot be blocked inside (after the first statement). In that case, Promela will suspend the process, and you get unintended semantics. byte state = 1; proctype A() { atomic { state == 1 -> state++ proctype B() { atomic { state == 1 -> state-- init { atomic {run A() ; run B() 24

Other use of atomic{ To group complex manipulation into single transition If the manipulation is deterministic and always exits at the end, d_step { is more efficient d_step denotes a single transition atomic denotes a sequence of transitions with interrupt disabled atomic { cnt = 0 ; :: (cnt < Max) -> z[cnt] = 3; cnt++ :: (cnt >= Max) -> break d_step { cnt = 0 ; :: (cnt < Max) -> z[cnt] = 3; cnt++ :: (cnt >= Max) -> break 25

Else and Timeout else is enabled if no other statement in the same process is enabled :: (m > n) -> m = m - n :: (m < n) -> n = n m :: else -> break ; printf ( GCD = %d\n, m) timeout is enabled if no other statement in the entire Promela mel is enabled skip is best to use if we want to be sure to analyze the effect of possibly premature timeout. :: input? offhook :: input? ringing :: timeout -> output! wakeup Od :: input? offhook :: input? ringing :: skip -> output! wakeup 26

Useful Macros IF without else branch #define IF if :: #define FI :: else fi Allows to write IF b -> x++ FI FOR loop #define FOR(i,l,h) i = l ; :: i < h -> #define ROF(i,l,h) ;i++ :: i >= h -> break Allows to write FOR(i,0,N) run proc(i) ROF(i,0,N) which means i = 0 ; :: i < N -> run proc(i) :: i >= N -> break 27

New Language Constructs (V6, 2010) For loops Several variants for (i : 1.. 9) { run proc(i) int a[10]; for (i in a) { printf( a[%d] = %d\n, i, a[i]) Selection (nondeterministic) int i; select (i : 1..10); printf( %d\n, i); Parser translates them to basic Promela 28

Message Transmission Protocol mtype = { m0, m1, ack proctype Sender{ Send0: :: skip -> /* timeout */ StoR!m0 :: RtoS?ack -> /* rec ack */ SoR!m1; goto Send1 ; Send1: :: skip -> /* timeout */ StoR!m1 :: RtoS?ack -> /* rec ack */ StoR!m0; goto Send0 proctype Receiver{ Rec0: :: StoR?any -> skip /* loss */ :: StoR?m0 -> RtoS!ack; goto Rec1 Rec1: :: StoR?any -> skip /* loss */ :: StoR?m1 -> RtoS!ack; goto Rec0 init { chan StoR = [1] of { mtype ; chan RtoS = [1] of { mtype ; atomic { StoR!m0; /* start */ run Sender; run Receiver 29

Alternating Bit Protocol (version 1) mtype = { msg, ack ; chan s_r = [2] of {mtype, byte, bit; chan r_s = [2] of {mtype, bit ; active proctype Sender() { byte data = 0; bit sbit, seqno = 0; :: s_r! msg(data, sbit) -> r_s? ack(seqno); if :: seqno == sbit -> sbit = 1 sbit; data++ :: else fi active proctype Receiver() { byte recd ; bit rbit, seqno = 0; :: s_r? msg (recd, seqno) -> r_s! ack(seqno); if :: seqno == rbit -> rbit = 1 rbit :: else fi 30

Alternating Bit Protocol (version 1 altern) mtype = { msg, ack ; chan s_r = [2] of {mtype, byte, bit; chan r_s = [2] of {mtype, bit ; proctype Sender() { byte data = 0; bit sbit, seqno = 0; :: s_r! msg(data, sbit) -> r_s? ack(seqno); if :: seqno == sbit -> sbit = 1 sbit; data++ :: else fi proctype Receiver() { byte recd ; bit rbit, seqno = 0; :: s_r? msg (recd, seqno) -> r_s! ack(seqno); if :: seqno == rbit -> rbit = 1 rbit :: else fi init { atomic { run Sender(); run Receiver() 31

AB Protocol (version 2, with losses ) mtype = { msg, ack ; chan s_r = [2] of {mtype, byte, bit; chan r_s = [2] of {mtype, bit ; active proctype Sender() { byte data = 0; bit sbit, seqno = 0; :: s_r! msg(data, sbit) -> r_s? ack(seqno); if :: seqno == sbit -> sbit = 1 - sbit ; data++ :: else fi :: (1) -> skip active proctype Receiver() { byte recd ; bit rbit, seqno = 0; :: s_r? msg (recd, seqno) -> if :: r_s! ack(seqno) :: skip fi; if :: seqno == rbit -> rbit = 1 - rbit :: else fi 32

AB Protocol (version 3, w. retransmission) mtype = { msg, ack ; chan s_r = [2] of {mtype, byte, bit; chan r_s = [2] of {mtype, bit ; active proctype Sender() { byte data = 0; bit sbit, seqno = 0; :: s_r! msg(data, sbit) :: (1) -> skip :: r_s? ack(seqno); if :: seqno == sbit -> sbit = 1 - sbit ; data++ :: else fi active proctype Receiver() { byte recd, expected = 0; bit rbit = 1, seqno; :: s_r? msg (recd, seqno) -> if :: seqno!= rbit -> rbit = 1 - rbit ; assert(recd == expected) ; expected++ :: else fi :: r_s! ack (rbit) :: (1) -> skip 33

AB Protocol (version 4, w. checks) mtype = { msg, ack ; chan s_r = [2] of {mtype, byte, bit; chan r_s = [2] of {mtype, bit ; active proctype Sender() { byte data = 0; bit sbit, seqno = 0; :: data < 10 -> s_r! msg(data, sbit) :: (1) -> skip :: r_s? ack(seqno); if :: seqno == sbit -> sbit = 1 - sbit ; data++ :: else fi active proctype Receiver() { byte recd, expected = 0; bit rbit = 1, seqno; :: s_r? msg (recd, seqno) -> if :: seqno!= rbit -> rbit = 1 - rbit ; assert(recd == expected); expected++ :: else fi :: r_s! ack (rbit) :: (1) -> skip 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback