What is SPIN(Simple Promela Interpreter) Material About SPIN. Elements of Promela. Basic Variables and Types. Typical Structure of Promela Model

Similar documents
What is SPIN(Simple Promela Interpreter) Elements of Promela. Material About SPIN. Basic Variables and Types. Typical Structure of Promela Model

Lecture 3 SPIN and Promela

CS477 Formal Software Development Methods / 39

CS477 Formal Software Development Methods / 32

Network Protocol Design and Evaluation

A Tutorial on Model Checker SPIN

Design of Internet Protocols:

Computer Aided Verification 2015 The SPIN model checker

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

The SPIN Model Checker

Network Protocol Design and Evaluation

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Hello World. Slides mostly a reproduction of Theo C. Ruys SPIN Beginners Tutorial April 23, Hello() print "Hello"

Tool demonstration: Spin

Spin: Overview of PROMELA

T Parallel and Distributed Systems (4 ECTS)

Software Engineering using Formal Methods

Patrick Trentin Formal Methods Lab Class, March 03, 2017

Patrick Trentin Formal Methods Lab Class, Feb 26, 2016

The Spin Model Checker : Part I/II

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

Spin: Overview of PROMELA

Design and Analysis of Distributed Interacting Systems

Formal Specification and Verification

Software Engineering using Formal Methods

Logic Model Checking

Applications of Formal Verification

Formal Verification by Model Checking

Applications of Formal Verification

Distributed Systems Programming F29NM1 2. Promela I. Andrew Ireland. School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh

LTL Reasoning: How It Works

The SPIN Model Checker

The Spin Model Checker : Part I. Moonzoo Kim KAIST

Applications of Formal Verification

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Introduction to Model Checking

Multi-Threaded System int x, y, r; int *p, *q, *z; int **a; EEC 421/521: Software Engineering. Thread Interleaving SPIN. Model Checking using SPIN

SPIN: Part /614 Bug Catching: Automated Program Verification. Sagar Chaki November 12, Carnegie Mellon University

Beginner s SPIN Tutorial

Model checking Timber program. Paweł Pietrzak

SPIN: Introduction and Examples

SPIN. Carla Ferreira.

THE MODEL CHECKER SPIN

SWEN-220 Mathematical Models of Software. Process Synchronization Critical Section & Semaphores

Blocking Non-blocking Caveat:

Automated Reasoning. Model Checking with SPIN (II)

SPIN, PETERSON AND BAKERY LOCKS

Linear Temporal Logic. Model Checking and. Based on slides developed by Natasha Sharygina. Carnegie Mellon University.

TOWARDS AUTOMATED VERIFICATION OF WEB SERVICES

INF5140: Specification and Verification of Parallel Systems

Principles of Protocol Design MVP 10A 1

Principles of Protocol Design. MVP10 plan. What is a protocol? Typical SPIN applications. The three parts of a protocol description


Chapter 6: Process Synchronization

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II

Using Spin to Help Teach Concurrent Programming

Building Graphical Promela Models using UPPAAL GUI

Applicant. LLC Service. LAN Segment

Lecture 2: Intro to Concurrent Processing. A Model of Concurrent Programming

T Parallel and Distributed Systems (4 ECTS)

The Design of a Distributed Model Checking Algorithm for Spin

Distributed Systems Programming (F21DS1) SPIN: Simple Promela INterpreter

Model Requirements and JAVA Programs MVP 2 1

Ch 9: Control flow. Sequencers. Jumps. Jumps

Siegfried Loer and Ahmed Serhrouchni. Abstract. SPIN is a tool to simulate and validate Protocols. PROMELA, its

Model-Checking Concurrent Systems

Formal Methods for Software Development

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Formal Specification and Verification

Using Model Checking with Symbolic Execution for the Verification of Data-Dependent Properties of MPI-Based Parallel Scientific Software

A Practical approach on Model checking with Modex and Spin

SWEN-220 Mathematical Models of Software. Concurrency in SPIN Interleaving

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis I

Process Management And Synchronization

Generating Code from Event-B Using an Intermediate Specification Notation

What is the Race Condition? And what is its solution? What is a critical section? And what is the critical section problem?

Towards Promela verification using VerICS

Modelling Without a Modelling Language

SPIN part 2. Verification with LTL. Jaime Ramos. Departamento de Matemática, Técnico, ULisboa

MP 6 Modeling in Promela and SPIN

Concurrency: Mutual Exclusion and

transformation of PROMELA models into Channel Systems,

Formal Methods for Software Development

EMBEDDED C CODE 17. SPIN Version 4 supports the inclusion of embedded C code into PROMELA models through the following fiv e new primitives:

The S-Expression Design Language (SEDL) James C. Corbett. September 1, Introduction. 2 Origins of SEDL 2. 3 The Language SEDL 2.

Testing Concurrent Programs: Model Checking SPIN. Bengt Jonsson

CS3733: Operating Systems

Model Checking with Automata An Overview

Formal Verification of Process Communications in Operational Flight Program for a Small-Scale Unmanned Helicopter

Operating Systems (2INC0) 2017/18

A Deterministic Concurrent Language for Embedded Systems

A Verification Approach for GALS Integration of Synchronous Components

A Deterministic Concurrent Language for Embedded Systems

Temporal Logic and Timed Automata

TRIAL-EXAM Software Engineering using Formal Methods TDA293 (TDA292) / DIT270. Only dictionaries may be used. Other aids are not allowed!

Concurrency: Mutual Exclusion and Synchronization

Chapter 6: Synchronization. Chapter 6: Synchronization. 6.1 Background. Part Three - Process Coordination. Consumer. Producer. 6.

Analyzing Singularity Channel Contracts

Transcription:

What is SPIN(Simple Promela Interpreter) Lecture 3 SPIN and Promela A tool for analyzing mels of reactive systems Mels described in Promela Language with concurrent processes, Communication via channels, Analysis by Simulation Mel checking Several optimizations implemented most efcient tool for explicit-state mel checking 1 2 Material About SPIN SPIN Home page http://spinroot.com/spin/ Contains manuals, reference material, and tutorial Books about SPIN G.J. Holzmann SPIN MODEL CHECKER Primer and Reference Manual, G.J. Holzmann Design and Validation of Computer Protocols,, Prentice Hall 1991, older book, available on the Internet Elements of Promela Language for dening nite-state transition systems Data types with precisely dened nite mains Bits, integers, arrays, messages Processes, which can be dynamically created Communication via global variables or communication channels Simple control constructs 3 4 ypical Structure of Promela Mel Basic Variables and ypes Promela mel consists of type declarations channel declarations variable declarations process declarations init process mtype = {msg, ack; chan tos = chan tor = bool flag; proctype Sender () { proctype Receiver () { Basic types Array declaration Array access Records type denition Record declaration Record access Enumeration type f. messages bit [0.. 1] bool [0.. 1] byte [0.. 255] short [-2 15.. 2 15-1] int [-2 31.. 2 31-1] byte anarray[24]; anarray[v] = anarray[3]; typedef Msg{ byte a[3], b; chan p Msg astruct astruct.a[1] mtype = {ack, nak, err, next 5 6 1

Expressions Basic Statements Operators + - * / % ^ > >= < <= ==!=! && & - >> << ++ -- Expressions Assignments No-Op (y == false x > 9) y = 34 % 3 anarray[0] = anarray[3] * anarray[(v+2)/4] skip Conditional expression (v >= 0 -> v : -v) Goto goto label Operations on channel identers len(qid) empty(qid) full(qid) nempty(qid) nfull(qid) 7 printf Print (only in simulation) All basic statements are either executable (enabled) or blocked (disabled) (of course, depending on values of variables, etc.) Expressions are also statements Blocked evaluated to 0, otherwise executable In this way, expressions/statements can be used as guards 8 Compound Statements Compound Statements (ctd.) Sequential composition Selection test == 1 ; state = state + 1 test == 1 -> state = state + 1 :: (a == b) -> state = state + 1 :: (a!= b) -> state = state 1 equivalent Repetition :: (m > n) -> m = m - n :: (m < n) -> n = n m :: (m == n) -> break ; printf ( GCD = %d\n, m) :: (a == b) -> state = state + 1 -> state = state 1 Selection can be nonderministic :: input? offhook :: (a == b) -> b = 3 ; goto onhook :: output! wakeup :: b = 3 /*any statement can be guard*/ 9 10 Processes and process types Name proctype Sender(chan in; chan out) { Local variable declarations bit sndb, rcvb; :: out! data(sndb) -> in? ack(rcvb); formal parameters :: sndb == rcvb > sndb = 1-sndB -> skip Processes dened by proctype denitions A process type may be instantiated several times Each process has its local state (pc, local variables) Processes execute concurrently, by interleaving Process instantiations Processes are created by run statement/expression run returns process id Processes execute their rst statement some time after creation Processes can be statically created at initialization time (no formal parameters allowed) proctype Foo(byte x) { int pid = run Foo(2); run Foo(27) active[3] proctype Bar(){ 11 12 2

Communication Channels Communication Channels (ctd.) Channels used for passing messages Asynchronous (buffered, default is FIFO) Synchronously (rendez-vous) Declaring synchronous (rendez-vous) channel w. capacity 0 chan synch[3] = [0] of {mtype, int chan qid = [4] of {mtype, int, byte chan synch[3] = [0] of {mtype, int name capacity types of messages Sending qid! var1, const, var qid! err(const, var) matched Receiving qid? err(const, var) assigned Non-mying receive qid? [err, const, var] Sorted send/receive (inserts lexicographically, receives any element) qid!! err(const, var) qid?? err(const, var) 13 14 Peterson-Fischer Mutual Exclusion Peterson-Fischer Mutual Exclusion #dene true 1 #dene false 0 #dene turn1 false #dene turn2 true l2: t = turn2; l3: (y2 == false t == turn1) ; atomic{ y1 = false ; goto l1 m2: t = turn1; m3: (y1 == false t == turn2) ; atomic{ y2 = false ; goto m1 run P1() ; run P2() #dene true 1 #dene false 0 #dene turn1 false #dene turn2 true l2: t = turn2; l3: (y2 == false t == turn1) ; assert (mutex <= 1) ; mutex -- ; atomic{ y1 = false ; goto l1 m2: t = turn1; m3: (y1 == false t == turn2) ; assert (mutex <= 1) ; mutex-- ; atomic{ y2 = false ; goto m1 run P1() ; run P2() 15 16 Problem with Atomicity Solution: atomic-construct Only basic statements are atomic Q: What is the nal value of state? byte state = 1; proctype A() { state == 1 -> state++ proctype B() { state == 1 -> state-- run A() ; run B() A process whose control is inside atomic{ executes without being interrupted by other processes NOE: Make sure that such a sequence cannot be blocked inside (after the rst statement). In that case, Promela will suspend the process, and you get unintended semantics. byte state = 1; proctype A() { state == 1 -> state++ proctype B() { state == 1 -> state-- run A() ; run B() 17 18 3

Other use of atomic{ Else and imeout o group complex manipulation into single transition cnt = 0 ; :: (cnt < Max) -> z[cnt] = 3; cnt++ :: (cnt >= Max) -> break else is enabled no other statement in the same process is enabled :: (m > n) -> m = m - n :: (m < n) -> n = n m -> break ; printf ( GCD = %d\n, m) If the manipulation is deterministic and always exits at the end d_step { is more efcient d_step { cnt = 0 ; :: (cnt < Max) -> z[cnt] = 3; cnt++ :: (cnt >= Max) -> break 19 timeout is enabled no other statement in the entire Promela mel is enabled skip is best to use we want to be sure to analyze the effect of possibly premature timeout. :: input? offhook :: input? ringing :: timeout -> output! wakeup Od :: input? offhook :: input? ringing -> output! wakeup 20 Useful Macros Message ransmission Protocol IF without else branch Allows to write FOR loop Allows to write which means #dene IF :: #dene FI IF b -> x++ FI #dene FOR(i,l,h) i = l ; :: i < h -> #dene ROF(i,l,h) ;i++ :: i >= h -> break FOR(i,0,N) run proc(i) ROF(i,0,N) i = 0 ; :: i < N -> run proc(i) :: i >= N -> break mtype = { m0, m1, ack proctype Sender{ Send0: -> /* timeout */ StoR!m0 :: RtoS?ack -> /* rec ack */ SoR!m1; goto Send1 ; Send1: -> /* timeout */ StoR!m1 :: RtoS?ack -> /* rec ack */ StoR!m0; goto Send0 proctype Receiver{ Rec0: :: StoR?any -> skip /* loss */ :: StoR?m0 -> RtoS!ack; goto Rec1 Rec1: :: StoR?any -> skip /* loss */ :: StoR?m1 -> RtoS!ack; goto Rec0 chan StoR = [1] of { mtype ; chan RtoS = [1] of { mtype ; StoR!m0; /* start */ run Sender; run Receiver 21 22 Alternating Bit Protocol (version 1) Alternating Bit Protocol (version 1 altern) mtype = { msg, ack ; chan s_r = [2] of {mtype, byte, bit; chan r_s = [2] of {mtype, bit ; r_s? ack(seqno); sbit = 1 sbit; byte recd ; bit rbit, seqno = 0; r_s! ack(seqno); :: seqno == rbit -> rbit = 1 rbit mtype = { msg, ack ; chan s_r = [2] of {mtype, byte, bit; chan r_s = [2] of {mtype, bit ; proctype Sender() { r_s? ack(seqno); sbit = 1 sbit; proctype Receiver() { byte recd ; bit rbit, seqno = 0; r_s! ack(seqno); :: seqno == rbit -> rbit = 1 rbit run Sender(); run Receiver() 23 24 4

AB Protocol (version 2, with losses ) AB Protocol (version 3, w. retransmission) mtype = { msg, ack ; chan s_r = [2] of {mtype, byte, bit; chan r_s = [2] of {mtype, bit ; r_s? ack(seqno); byte recd ; bit rbit, seqno = 0; :: r_s! ack(seqno) ; :: seqno == rbit -> rbit = 1 - rbit mtype = { msg, ack ; chan s_r = [2] of {mtype, byte, bit; chan r_s = [2] of {mtype, bit ; :: s_r! msg(data, sbit) assert(recd == expected) ; 25 26 AB Protocol (version 4, w. checks) AB Protocol (version 5, limiting checks) mtype = { msg, ack ; chan s_r = [2] of {mtype, byte, bit; chan r_s = [2] of {mtype, bit ; :: data < 10 -> s_r! msg(data, sbit) assert(recd == expected); mtype = { msg, ack ; chan s_r = [2] of {mtype, byte, bit; chan r_s = [2] of {mtype, bit ; :: data < 10 -> s_r! msg(data, sbit) progress: assert(recd == expected) ; 27 28 AB Protocol (version 6, w progress) AB Protocol (version 7, w progress) mtype = { msg, ack ; chan s_r = [2] of {mtype, byte, bit; chan r_s = [2] of {mtype, bit ; :: data < 10 -> s_r! msg(data, sbit) :: (1) -> progress1: skip progress: assert(recd == expected) ; :: (1) -> progress2: skip 29 # dene MAXMSG 4 mtype = { msg, ack ; chan s_r = [2] of {mtype, byte, bit; chan r_s = [2] of {mtype, bit ; chan source = [0] of {byte; chan sink = [0] of {byte; source?data; :: s_r! msg(data, sbit) :: (1) -> progress1: skip source?data byte recd = 0; sink!recd; progress: rbit = 1 - rbit :: (1) -> progress2: skip 30 5

AB Protocol (version 7, w harness) AB Protocol (version 8, new harness) # dene MAXMSG 4 chan source = [0] of {byte; chan sink = [0] of {byte; active proctype Generator() { byte seed = 0; :: source!seed -> seed = (seed+1)%maxmsg active proctype Checker() { byte expected, inmsg= 0; assert(inmsg == expected); expected = (expected+1)%maxmsg # dene white 0 # dene red 1 # dene blue 2 chan source = [0] of {byte; chan sink = [0] of {byte; active proctype Generator() { :: source!white :: source!red -> break ; :: source!white :: source!blue -> break ; end: :: source!white active proctype Checker() { byte inmsg; :: (inmsg == red) -> break assert(inmsg == white) ; :: (inmsg == blue) -> break assert(inmsg == white) ; end1: assert(inmsg == white) 31 32 AB Protocol (version 9, w acceptance) AB Protocol (version 9, the never claim) #dene p Sender@Slabel #dene q Receiver@Rlabel #dene r Receiver@Rsuccess mtype = { msg, ack ; chan s_r = [2] of {mtype, byte, bit; chan r_s = [2] of {mtype, bit ; source?data; Slabel: skip source?data byte recd = 0; Rsuccess: sink!recd; rbit = 1 - rbit -> Rlabel: skip 33 #dene p Sender@Slabel #dene q Receiver@Rlabel #dene r Receiver@Rsuccess /* * Formula As yped: ([] <> p && [] <> q) -> [] <> r * he Never Claim Below Corresponds * o he Negated Formula!(([] <> p && [] <> q) -> [] <> r) * (formalizing violations of the original) */ never { /*!(([] <> p && [] <> q) -> [] <> r) */ 0_init: :: (! ((r)) && (p) && (q)) -> goto accept_s485 :: (! ((r)) && (p)) -> goto 2_S485 :: (! ((r))) -> goto 0_S485 :: (1) -> goto 0_init ; accept_s485: :: (! ((r))) -> goto 0_S485 ; 2_S485: :: (! ((r)) && (q)) -> goto accept_s485 :: (! ((r))) -> goto 2_S485 ; 0_S485: :: (! ((r)) && (p) && (q)) -> goto accept_s485 :: (! ((r)) && (p)) -> goto 2_S485 :: (! ((r))) -> goto 0_S485 ; 34 Specying invariant properties Checking by monitor Always executable If v <= 2 is false, SPIN exits with error Used to check invariants assert (v <= 2) #dene true 1 #dene false 0 #dene turn1 false #dene turn2 true l2: t = turn2; l3: (y2 == false t == turn1) ; mutex -- ; atomic{ y1 = false ; goto l1 m2: t = turn1; m3: (y1 == false t == turn2) ; mutex-- ; atomic{ y2 = false ; goto m1 active proctype monitor() { assert (mutex <= 1) run P1() ; run P2() 35 36 6

Checking deadlocks Checking progress by progress-labels #dene true 1 #dene false 0 #dene turn1 false #dene turn2 true l2: skip ; l3: (y2 == false) ; mutex -- ; atomic{ y1 = false ; goto l1 m2: skip ; m3: (y1 == false) ; mutex-- ; atomic{ y2 = false ; goto m1 active proctype monitor() { assert (mutex <= 1) run P1() ; run P2() 37 #dene MAX 5 mtype = { mesg, ack, nak, err ; proctype sender(chan in, out) { byte o, s, r; o=max-1; :: o = (o+1)%max; /* next msg */ again: :: out!mesg(o,s) /* send */ :: (1) -> progress1: out!err(0,0) /* distort */ :: (1) -> progress2: skip /* or lose */ ; :: timeout -> goto again :: in?err(0,0) -> goto again :: in?nak(r,0) -> goto again :: in?ack(r,0) -> :: (r == s) -> goto progress :: (r!= s) -> goto again ; progress: s = 1-s /* toggle seqno */ proctype receiver(chan in, out) { byte i; /* actual input */ byte s; /* actual seqno */ byte es; /* expected seqno */ byte ei; /* expected input */ :: in?mesg(i, s) -> :: (s == es) -> assert(i == ei); progress: es = 1 - es; ei = (ei + 1)%MAX; /* send, */ :: out!ack(s,0) /* distort */ :: (1) -> out!err(0,0) :: (s!= es) -> /* send, */ :: out!nak(s,0) /* distort */ :: (1) -> out!err(0,0) :: in?err(0,0) -> out!nak(s,0) 38 Checking progress (ctd.) Progress labels: improved version chan s_r = [1] of { mtype,byte,byte ; chan r_s = [1] of { mtype,byte,byte ; run sender(r_s, s_r); run receiver(s_r, r_s) #dene MAX 5 mtype = { mesg, ack, nak, err ; proctype sender(chan in, out) { byte o, s, r; o=max-1; :: o = (o+1)%max; /* next msg */ again: :: out!mesg(o,s) /* send */ :: (1) -> progress1: out!err(0,0) /* distort */ proctype receiver(chan in, out) { byte i; /* actual input */ byte s; /* actual seqno */ byte es; /* expected seqno */ byte ei; /* expected input */ :: in?mesg(i, s) -> :: (s == es) -> assert(i == ei); progress: es = 1 - es; ei = (ei + 1)%MAX; 39 :: (1) -> progress2: skip /* or lose */ ; :: timeout -> goto again :: in?err(0,0) -> goto again :: in?nak(r,0) -> goto again :: in?ack(r,0) -> :: (r == s) -> goto progress :: (r!= s) -> goto again ; progress: s = 1-s /* toggle seqno */ /* send, */ :: out!ack(s,0) /* distort */ :: (1) -> progress1: out!err(0,0) :: (1) -> progress2: skip :: (s!= es) -> /* send, */ :: out!nak(s,0) /* distort */ :: (1) -> progress3: out!err(0,0) :: (1) -> progress4: skip :: in?err(0,0) -> out!nak(s,0) 40 Automata properties: never claims Automata specications can be given in Promela as Never claims, e.g., ( p -> p ) p p never { :: p -> break ; ::!p -> break Never claims execute in lock-step with the rest of the Promela mel Accept they reach the end Buchi Automata as never claims Accepting states designated by labels acceptxxxxx ( p /\ q) p /\ q q never { :: p &&!q -> break ; accept: ::!q he never claim accepts the Promela mel has cycle with only!q hen SPIN reports a violating cycle. 41 42 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback