Introduction to Model Checking

Similar documents
transformation of PROMELA models into Channel Systems,

Tool demonstration: Spin

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Lecture 3 SPIN and Promela

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Network Protocol Design and Evaluation

Computer Aided Verification 2015 The SPIN model checker

CS477 Formal Software Development Methods / 39

Design of Internet Protocols:

Patrick Trentin Formal Methods Lab Class, March 03, 2017

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

The Spin Model Checker : Part I. Moonzoo Kim KAIST

What is SPIN(Simple Promela Interpreter) Elements of Promela. Material About SPIN. Basic Variables and Types. Typical Structure of Promela Model

Applications of Formal Verification

SPIN: Introduction and Examples

Patrick Trentin Formal Methods Lab Class, Feb 26, 2016

What is SPIN(Simple Promela Interpreter) Material About SPIN. Elements of Promela. Basic Variables and Types. Typical Structure of Promela Model

Ch 9: Control flow. Sequencers. Jumps. Jumps

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

Applications of Formal Verification

Applications of Formal Verification

Formal Specification and Verification

The SPIN Model Checker

CS477 Formal Software Development Methods / 32

Model checking Timber program. Paweł Pietrzak

Software Engineering using Formal Methods

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Software Engineering using Formal Methods

SPIN: Part /614 Bug Catching: Automated Program Verification. Sagar Chaki November 12, Carnegie Mellon University

The Spin Model Checker : Part I/II

T Parallel and Distributed Systems (4 ECTS)

Spin: Overview of PROMELA

Model Requirements and JAVA Programs MVP 2 1

Distributed Systems Programming (F21DS1) Formal Verification

Formal Verification by Model Checking

Spin: Overview of PROMELA

FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY

Distributed Systems Programming F29NM1 2. Promela I. Andrew Ireland. School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh

Logic Model Checking

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Multi-Threaded System int x, y, r; int *p, *q, *z; int **a; EEC 421/521: Software Engineering. Thread Interleaving SPIN. Model Checking using SPIN

TOWARDS AUTOMATED VERIFICATION OF WEB SERVICES

Design and Analysis of Distributed Interacting Systems

Chapter 8. Statement-Level Control Structures

The SPIN Model Checker

these developments has been in the field of formal methods. Such methods, typically given by a

A Tutorial on Model Checker SPIN

A Deterministic Concurrent Language for Embedded Systems

Abstract Interpretation

Model-Checking Concurrent Systems

Formal Methods for Software Development

The learning objectives of this chapter are the followings. At the end of this chapter, you shall

Exercise Unit 2: Modeling Paradigms - RT-UML. UML: The Unified Modeling Language. Statecharts. RT-UML in AnyLogic

Pet: An Interactive Software Testing Tool

Control Structures. Outline. In Text: Chapter 8. Control structures Selection. Iteration. Gotos Guarded statements. One-way Two-way Multi-way

Qualifying Exam in Programming Languages and Compilers

Formal Syntax and Semantics of Programming Languages

Failure Modelling in Software Architecture Design for Safety

Network Protocol Design and Evaluation

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

The Substitution Model

EMBEDDED C CODE 17. SPIN Version 4 supports the inclusion of embedded C code into PROMELA models through the following fiv e new primitives:

A Deterministic Concurrent Language for Embedded Systems

Functional Programming. Overview. Topics. Definition n-th Fibonacci Number. Graph

Verification Framework for Detecting Safety Violations in UML State chart Models of Reactive Systems C.M. Prashanth

Beyond Reduction... Busy Acquire. Busy Acquire. alloc. alloc. Non-Serial Execution: Serial Execution: Atomic but not reducible

3.7 Denotational Semantics

Iterative Statements. Iterative Statements: Examples. Counter-Controlled Loops. ICOM 4036 Programming Languages Statement-Level Control Structure

6. The Bounded Re-transmission Protocol. Jean-Raymond Abrial

Behavioural Equivalences and Abstraction Techniques. Natalia Sidorova

Hello World. Slides mostly a reproduction of Theo C. Ruys SPIN Beginners Tutorial April 23, Hello() print "Hello"

Application: Programming Language Semantics

Mapping of UML Diagrams to Extended Petri Nets for Formal Verification

Distributed Systems Programming (F21DS1) SPIN: Simple Promela INterpreter

An Exercise in Iterative Domain- Specific Language Design. Marcel van Amstel Mark van den Brand Luc Engelen

A Deterministic Concurrent Language for Embedded Systems

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Automated Reasoning. Model Checking with SPIN (II)

Analysis of Interacting BPEL Web Services

Concurrent ML. John Reppy January 21, University of Chicago

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II

Siegfried Loer and Ahmed Serhrouchni. Abstract. SPIN is a tool to simulate and validate Protocols. PROMELA, its

Modeling a Cache Coherence Protocol with the Guarded Action Language

CSE 307: Principles of Programming Languages

Counter-Example Guided Program Verification

The Substitution Model. Nate Foster Spring 2018

Compiler Construction

Chapter 8. Statement-Level Control Structures

PROPER TECHNIQUE OF SOFTWARE INSPECTION USING GUARDED COMMAND LANGUAGE

How useful is the UML profile SPT without Semantics? 1

Sérgio Campos, Edmund Clarke

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

The UPPAAL Model Checker. Julián Proenza Systems, Robotics and Vision Group. UIB. SPAIN

Primitive Task-Parallel Constructs The begin statement The sync types Structured Task-Parallel Constructs Atomic Transactions and Memory Consistency

Verification of Web Service Flows with Model-Checking Techniques

Concurrent Models of Computation

Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols

Model Checking Dynamic and Hierarchical UML State Machines

Reasoning About Programs Panagiotis Manolios

Transcription:

Introduction to Model Checking René Thiemann Institute of Computer Science University of Innsbruck WS 2007/2008 RT (ICS @ UIBK) week 4 1/23 Outline Promela - Syntax and Intuitive Meaning Promela - Formal semantics The State-Space Explosion Problem RT (ICS @ UIBK) week 4 2/23

Promela - Syntax and Intuitive Meaning nanopromela Promela (Process Meta Language) is modeling language for SPIN most widely used model checker SPIN developed by Gerard Holzmann (Bell Labs, NASA JPL) ACM Software Award 2002 nanopromela is the core of Promela shared variables and channel-based communication formal semantics of a Promela model is a channel system processes are defined by means of a guarded command language No actions, statements describe effect of actions RT (ICS @ UIBK) week 4 4/23 Promela - Syntax and Intuitive Meaning nanopromela nanopromela-program P = [P 1... P n ] with P i processes A process is specified by a statement: stmt ::= skip x := expr c?x c!expr stmt 1 ; stmt 2 atomic{assignments} if :: g 1 stmt 1... :: g n stmt n fi do :: g 1 stmt 1... :: g n stmt n od assignments ::= x 1 := expr 1 ; x 2 := expr 2 ;... ; x m := expr m x is a variable in Var, expr an expression and c a channel, g i a guard assume the Promela specification is type-consistent RT (ICS @ UIBK) week 4 5/23

Promela - Syntax and Intuitive Meaning Conditional statements if :: g 1 stmt 1... :: g n stmt n fi Nondeterministic choice between statements stmt i for which g i holds Test-and-set semantics: (deviation from Promela) guard evaluation + selection of enabled command + execution first atomic step of selected statement is all performed atomically The if fi command blocks if no guard holds parallel processes may unblock a process by changing shared variables e.g., when y=0, if :: y > 0 x := 42 fi waits until y exceeds 0 Standard abbreviations: if g then stmt 1 else stmt 2 fi if :: g stmt 1 :: g stmt 2 fi if g then stmt 1 fi if :: g stmt 1 :: g skip fi RT (ICS @ UIBK) week 4 6/23 Promela - Syntax and Intuitive Meaning Iteration statements do :: g 1 stmt 1... :: g n stmt n od Iterative execution of nondeterministic choice among g i stmt i where guard g i holds in the current state No blocking if all guards are violated; instead, loop is aborted do :: g stmt od while g do stmt od No break-statements to abort a loop RT (ICS @ UIBK) week 4 7/23

Promela - Syntax and Intuitive Meaning Beverage vending machine The following nanopromela program describes its behaviour: do :: true skip; if :: nsprite > 0 nsprite := nsprite 1 :: nbeer > 0 nbeer := nbeer 1 :: nsprite = nbeer = 0 skip fi :: true atomic{nbeer := max; nsprite := max} od RT (ICS @ UIBK) week 4 8/23 Promela - Syntax and Intuitive Meaning Alternating bit protocol - Receiver c? m, y wait(0) chk msg(0) y = 0 snd ack(0) y = 1 d!1 d!0 y = 0 snd ack(1) y = 1 chk msg(1) wait(1) c? m, y RT (ICS @ UIBK) week 4 9/23

Promela - Formal semantics Formal semantics The semantics of a nanopromela-statement over (Var, Chan) is a program graph over (Var, Chan). The program graphs PG 1,..., PG n for the processes P 1,..., P n of a nanopromela-program P = [P 1... P n ] constitute a channel system over (Var, Chan) The locations of the program graph PG i are the sub-statements of the nanopromela-program P i. RT (ICS @ UIBK) week 4 11/23 Promela - Formal semantics Sub-statements For each statement stmt its substatements Sub stmt (stmt) is the smallest set of statements such that RT (ICS @ UIBK) week 4 12/23

Promela - Formal semantics Inference rules true: id skip exit where id denotes an action that does not change the values of the variables x := expr true : assign(x, expr) exit assign(x, expr) denotes the action that only changes x, no other variables c?x c?x exit c!expr c!expr exit RT (ICS @ UIBK) week 4 13/23 Promela - Formal semantics Inference rules atomic{x 1 := expr 1 ;... ; x m := expr m } true : α m exit where α 0 = id, α i = Effect(assign(x i, expr i ), Effect(α i 1, η)) for 1 i m RT (ICS @ UIBK) week 4 14/23

Promela - Formal semantics Inference rules RT (ICS @ UIBK) week 4 15/23 The State-Space Explosion Problem Sequential programs The # states of a simple program graph is: #program locations variable x dom(x) number of states grows exponentially in the number of program variables N variables with k possible values each yields k N states this is called the state-space explosion problem A program with 10 locations, 3 bools, 4 integers (in range 0... 9): 10 2 3 10 4 = 800, 000 states Adding a single 50-positions bit-array yields 800, 000 2 50 states RT (ICS @ UIBK) week 4 17/23

The State-Space Explosion Problem Concurrent programs The # states of P P 1... P n is maximally: #states of P 1... #states of P n # states grows exponentially with the number of components The composition of N components of size k each yields k N states This is called the state-space explosion problem RT (ICS @ UIBK) week 4 18/23 The State-Space Explosion Problem Channel systems Asynchronous communication of processes via channels each channel c has a bounded capacity cap(c) if a channel has capacity 0, we obtain handshaking # states of system with N components and K channels is: ( N #program locations i=1 variable x dom(x) ) K dom(c j ) cap(c j ) j=1 this is the underlying structure of Promela RT (ICS @ UIBK) week 4 19/23

The State-Space Explosion Problem The alternating bit protocol c! m, 0 d?x snd msg(0) lost st tmr(0) tmr on! wait(0) x = 1 chk ack(0) x = 1 : tmr off! timeout? timeout? x = 0 : tmr off! chk ack(1) x = 0 wait(1) tmr on! st tmr(1) lost snd msg(1) d?x c! m, 1 channel capacity 10, and datums are bits, yields 2 }{{} 8 2 }{{} 6 2 }{{} 4 10 }{{} 2 10 = 3 2 37 4 10 11 states sender recv c d }{{} timer RT (ICS @ UIBK) week 4 20/23 The State-Space Explosion Problem The Need for Automated Verification requirements system Formalizing Modeling property specification system model huge! Model Checking satisfied violated + counterexample insufficient memory RT (ICS @ UIBK) week 4 21/23

The State-Space Explosion Problem Summary of Modeling Concurrent Systems Transition systems are fundamental for modeling software Interleaving = execution of independent concurrent processes by nondeterminism Channel systems = program graphs + first-in first-out communication channels handshaking for channels of capacity 0 asynchronous message passing when capacity exceeds 0 semantical model of Promela Formal semantic for Promela know exactly which system is verified Size of transition systems grows exponentially in the number of concurrent components and the number of variables RT (ICS @ UIBK) week 4 22/23 The State-Space Explosion Problem Exercises Write promela-code for the timer and the sender of the alternating bit protocol. Construct the corresponding program graphs according to the formal semantics. Change the inference rules such that conditional- and iteration-statements require one step for choosing the case without partially evaluating the corresponding statement. (Note that this refinement corresponds to the semantics of full Promela.) RT (ICS @ UIBK) week 4 23/23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback