1 / 33

Concurrent and Distributed Programming SPIN Tutorial part I

2. CDP. SPIN Tutorial - part I. CDP SPIN Lectures. SPIN part I IntroductionSPIN BackgroundPromela processes Promela statementsPromela communication Some demo's: SPIN and Xspin. SPIN part IISome more Promela constructsVerification: propertiesHow does SPIN work?How to write efficient S

korbin
Download Presentation

Concurrent and Distributed Programming SPIN Tutorial part I

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Concurrent and Distributed Programming SPIN Tutorial – part I Opmerkingen na CDP HC1 Eerst heeft Pieter Hartel een inleiding gegeven op het vak; daarna bleef er een uur over voor dit eerste college over SPIN. Er waren ruim 80 studenten bij dit eerste college. Het college zelf liep goed. De demo’s hielden de aandacht erbij. Ik had trouwens verder willen komen tijdens dit college; de slides van HC2 t/m de eerste demo van ABP had ik oorspronkelijk bij dit hoorcollege gepland. De beschrijving over “processen” vind ik zwak. Nu begin ik met de formele bestandsdelen van een proces (naam, formal parameters, body), maar zonder een echt formele grammatica o.i.d. te geven. Het is wellicht beter om processen “by-example” te introduceren. Opmerkingen na CDP HC1 Eerst heeft Pieter Hartel een inleiding gegeven op het vak; daarna bleef er een uur over voor dit eerste college over SPIN. Er waren ruim 80 studenten bij dit eerste college. Het college zelf liep goed. De demo’s hielden de aandacht erbij. Ik had trouwens verder willen komen tijdens dit college; de slides van HC2 t/m de eerste demo van ABP had ik oorspronkelijk bij dit hoorcollege gepland. De beschrijving over “processen” vind ik zwak. Nu begin ik met de formele bestandsdelen van een proces (naam, formal parameters, body), maar zonder een echt formele grammatica o.i.d. te geven. Het is wellicht beter om processen “by-example” te introduceren.

    2. 2 CDP SPIN Tutorial - part I CDP – SPIN Lectures SPIN – part I Introduction SPIN Background Promela processes Promela statements Promela communication Some demo’s: SPIN and Xspin

    3. 3 CDP SPIN Tutorial - part I Common Design Flaws Deadlock Livelock, starvation Underspecification unexpected reception of messages Overspecification Dead code Violations of constraints Buffer overruns Array bounds violations Assumptions about speed Logical correctness vs. real-time performance

    4. 4 CDP SPIN Tutorial - part I What is Model Checking? [Clarke & Emerson 1981]: “Model checking is an automated technique that, given a finite-state model of a system and a logical property, systematically checks whether this property holds for (a given initial state in) that model.” Advantage of Model Checking “Press-on-the-button-technology”: Advantage of Model Checking “Press-on-the-button-technology”:

    5. 5 CDP SPIN Tutorial - part I What is Model Checking?

    6. 6 CDP SPIN Tutorial - part I System Development “Classic” Model Checking The “pure” approach. Unfortunately, industry did not take this idea up (yet); see [Holzmann 2000 - M’dorf] This design trajectory (without the model checking backtracking) also fits in the CPA philosophy. “Classic” Model Checking The “pure” approach. Unfortunately, industry did not take this idea up (yet); see [Holzmann 2000 - M’dorf] This design trajectory (without the model checking backtracking) also fits in the CPA philosophy.

    7. 7 CDP SPIN Tutorial - part I Classic vs Modern Approach

    8. 8 CDP SPIN Tutorial - part I Verification vs. Debugging Two (extreme) approaches with respect to the application of model checkers. verification approach: tries to ascertain the correctness of a detailed model M of the system under validation. debugging approach: tries to find errors in a model M. Model checking is most effective in combination with the debugging approach.

    9. 9 CDP SPIN Tutorial - part I FMSE (1) FMSE – Modelling and Analysis of System Behaviour FSP (finite state processes): textual representation LTS (labelled transition systems): graphical representation LTSA: analysis of LTS/FSP models FSP is a process algebra operators stop, action prefix (a -> B), choice (b -> B | c -> C), indexed actions (to simulate integers), indexed processes (to simulate parameters), relabeling, hiding (relabeling with tau), parallel composition synchronization communication (on identical actions) bisimulation non-determinism

    10. 10 CDP SPIN Tutorial - part I FMSE (2) Problems discussed Alternating bit protocol Dining Philosophers Readers/Writers model Hippies/Soldiers problem Properties A safety property asserts that nothing bad happens (e.g. no deadlocked states). A liveness property asserts that something good will eventually happen (e.g. always normal termination). Other topics / one-liners: Deadlock: state with no outgoing transitions. A progress property asserts that it is always the case that an action is eventually executed. FSP: high/low priority operators Fair choice: If a choice over a set of transitions is executed infinitely often, then every transition in the set will be executed infinitely often. Other topics / one-liners: Deadlock: state with no outgoing transitions. A progress property asserts that it is always the case that an action is eventually executed. FSP: high/low priority operators Fair choice: If a choice over a set of transitions is executed infinitely often, then every transition in the set will be executed infinitely often.

    11. 11 CDP SPIN Tutorial - part I SPIN – Introduction (1) SPIN (= Simple Promela Interpreter) is a tool for analysing the logical conisistency of concurrent systems, specifically of data communication protocols. state-of-the-art model checker, used by >2000 users concurrent systems are described in the modelling language called Promela.

    12. 12 CDP SPIN Tutorial - part I SPIN – Introduction (2) Promela (= Protocol/Process Meta Language) specification language to model finite-state systems loosely based on CSP dynamic creation of concurrent processes communication via message channels can be synchronous (i.e. rendezvous), or asynchronous (i.e. buffered) features from Dijkstra’s guarded command language features from the programming language C

    13. 13 CDP SPIN Tutorial - part I SPIN – Introduction (3) Major versions: During the years, several additions/optimisations/improvements to standard SPIN have been proposed. RT-SPIN, DT-SPIN D-SPIN, Symmetric SPINDuring the years, several additions/optimisations/improvements to standard SPIN have been proposed. RT-SPIN, DT-SPIN D-SPIN, Symmetric SPIN

    14. 14 CDP SPIN Tutorial - part I Documentation on SPIN SPIN’s starting page: http://spinroot.com Basic SPIN manual Getting started with Xspin Getting started with SPIN Examples and Exercises Concise Promela Reference (by Rob Gerth) Proceedings of all ten SPIN Workshops Gerard J. Holzmann The Spin Model Checker Primer and Reference Manual Addison Wesley ISBN 0-32122-862-6, 608 pages, covers SPIN up to version 4.0.

    15. 15 CDP SPIN Tutorial - part I Installation of SPIN SPIN binaries http://spinroot.com/spin/Bin/index.html Windows 95/98/2000/NT/XP Need to install: C compiler (Visual C++ / DJGPP / Cygwin) http://www.cygwin.com Tcl/Tk 8.x interpreter (for XSpin) http://aspn.activestate.com/ASPN/Tcl Linux Solaris SPIN sources http://spinroot.com/spin/Src/index.html SPIN can be compiled on any UNIX system, including Apple’s Mac OS X.

    16. 16 CDP SPIN Tutorial - part I Promela Model (1) A Promela model consist of: type declarations channel declarations global variable declarations process declarations [init process] Promela Model The behaviour of a Promela model is captured in processes: variables (and values) and statements to test/set the values of the variables. Promela Model The behaviour of a Promela model is captured in processes: variables (and values) and statements to test/set the values of the variables.

    17. 17 CDP SPIN Tutorial - part I Promela Model (2) Promela model consist of: type declarations channel declarations variable declarations process declarations [init process] A Promela model corresponds with a (usually very large, but) finite transition system, so no unbounded data no unbounded channels no unbounded processes no unbounded process creation Promela Model The behaviour of a Promela model is captured in processes: variables (and values) and statements to test/set the values of the variables.Promela Model The behaviour of a Promela model is captured in processes: variables (and values) and statements to test/set the values of the variables.

    18. 18 CDP SPIN Tutorial - part I Processes (1) A process is defined by a proctype definition executes concurrently with all other processes, independently of speed or behaviour communicates with other processes using global (shared) variables using channels There may be several processes of the same type. Each process has its own local state: process counter (location within the proctype) contents of the local variables Processes Processes in SPIN are first-class citizens. Behaviour of the system is modelled/captured by processes. Processes Processes in SPIN are first-class citizens. Behaviour of the system is modelled/captured by processes.

    19. 19 CDP SPIN Tutorial - part I Processes (2) A process type (proctype) consist of a name a list of formal parameters local variable declarations body Processes Processes in SPIN are first-class citizens. Behaviour of the system is modelled/captured by processes.Processes Processes in SPIN are first-class citizens. Behaviour of the system is modelled/captured by processes.

    20. 20 CDP SPIN Tutorial - part I Processes (3) Process are created using the run statement (which returns the process id). Processes can be created at any point in the execution (within any process). Processes start executing after the run statement. Processes can also be created by adding active in front of the proctype declaration.

    21. 21 CDP SPIN Tutorial - part I Hello World! /* A "Hello World" Promela model for SPIN. */ active proctype Hello() { printf("Hello process, my pid is: %d\n", _pid); } init { int lastpid; printf("init process, my pid is: %d\n", _pid); lastpid = run Hello(); printf("last pid was: %d\n", lastpid); } DEMO only command-line SPIN demo keyword “_pid”: read-only local variable that stores the process instantiation number of the process only simulation demo: cat hello.pr spin –h: to show all options of SPIN spin hello.pr: random simulation spin –i hello.pr: interactive simulation spin –n2 hello.pr: let random simulation start with seed “2”DEMO only command-line SPIN demo keyword “_pid”: read-only local variable that stores the process instantiation number of the process only simulation demo: cat hello.pr spin –h: to show all options of SPIN spin hello.pr: random simulation spin –i hello.pr: interactive simulation spin –n2 hello.pr: let random simulation start with seed “2”

    22. 22 CDP SPIN Tutorial - part I Variables and Types (1) Five different (integer) basic types. Arrays Records (structs) Type conflicts are detected at runtime ?. Default initial value of basic variables (local and global) is 0. Processes Processes have “state”: memory locations (variables) that hold values.Processes Processes have “state”: memory locations (variables) that hold values.

    23. 23 CDP SPIN Tutorial - part I Variables and Types (2) Variables should be declared. Variables can be given a value by: Initialisation assignment argument passing message passing (see communication) Variables can be used in expressions.

    24. 24 CDP SPIN Tutorial - part I Statements (1) The body of a process consists of a sequence of statements. A statement is either executable: the statement can be executed immediately. blocked: the statement cannot be executed. An assignment is always executable. An expression is also a statement; it is executable if it evaluates to non-zero. 2 < 3 always executable x < 27 only executable if value of x is smaller 27 3 + x executable if x is not equal to –3

    25. 25 CDP SPIN Tutorial - part I Statements (2) The skip statement is always executable. “does nothing”, only changes process’ process counter A run statement is only executable if a new process can be created (remember: the number of processes is bounded). A printf statement is always executable (but is not evaluated during verification, of course). skip Note: the skip statement itself might be optimized away by SPIN optimisation algorithms.skip Note: the skip statement itself might be optimized away by SPIN optimisation algorithms.

    26. 26 CDP SPIN Tutorial - part I Statements (3) assert(<expr>); The assert-statement is always executable. If <expr> evaluates to zero, SPIN will exit with an error, as the <expr> “has been violated”. The assert-statement is often used within Promela models, to check whether certain properties are valid in a state.

    27. 27 CDP SPIN Tutorial - part I Interleaving Semantics Promela processes execute concurrently. Non-deterministic scheduling of the processes. Processes are interleaved (statements of different processes do not occur at the same time). exception: rendez-vous communication. All statements are atomic; each statement is executed without interleaving with other processes. Each process may have several different possible actions enabled at each point of execution. only one choice is made, non-deterministically. Assignments Assignments are always executed atomically (so we cannot directly model assignments in programming languages – like Java – in which assignments can be interleaved).Assignments Assignments are always executed atomically (so we cannot directly model assignments in programming languages – like Java – in which assignments can be interleaved).

    28. 28 CDP SPIN Tutorial - part I (random) Simulation Algorithm DEMO: This slide is the last one before the mutex demo’s. Mention: X(SPIN) is available on Unix(Linux) and Windows. It works most conveniently under Unix, however.DEMO: This slide is the last one before the mutex demo’s. Mention: X(SPIN) is available on Unix(Linux) and Windows.It works most conveniently under Unix, however.

    29. 29 CDP SPIN Tutorial - part I Mutual Exclusion (1) Mutual Exclusion is a safety property among processes: Two processes may not interleave certain (sub-)sequences of instructions (i.e. the critical section). Instead, one sequence must be completed before the other commences. Properties to be satisfied: at most one process can be in the critical section at the same time; no deadlocks no halting in the critical section no starvation of one of the processes Java has special construct to protect critical sections: synchronized

    30. 30 CDP SPIN Tutorial - part I bit flag; /* signals entering/leaving the section */ byte mutex; /* # procs in the critical section (CS). */ proctype P(bit i) { flag != 1; flag = 1; mutex++; printf("MSC: P(%d) has entered section.\n", i); mutex--; flag = 0; } proctype monitor() { assert(mutex != 2); } init { atomic { run P(0); run P(1); run monitor(); } } Mutual Exclusion (2) Show in Xspin: simulator (interactive: show correct run) MSC (nothing to see yet) data values trace through Promela model run verification random simulationShow in Xspin: simulator (interactive: show correct run) MSC (nothing to see yet) data values trace through Promela model run verification random simulation

    31. 31 CDP SPIN Tutorial - part I Mutual Exclusion (3) bit a, b; /* signal entering/leaving the section */ byte mutex; /* # of procs in the critical section. */ active proctype A() { a = 1; b == 0; mutex++; mutex--; a = 0; } active proctype monitor() { assert(mutex != 2); } To mention invalid end-state = deadlockTo mention invalid end-state = deadlock

    32. 32 CDP SPIN Tutorial - part I Mutual Exclusion (4) bit a, b; /* signal entering/leaving the section */ byte mutex; /* # of procs in the critical section. */ byte turn; /* who's turn is it? */ active proctype A() { a = 1; turn = B_TURN; b == 0 || (turn == A_TURN); mutex++; mutex--; a = 0; } active proctype monitor() { assert(mutex != 2); } Show in Xspin Run “Slicing Algorithm”. Show that program does not contain any (safety) errors.Show in Xspin Run “Slicing Algorithm”. Show that program does not contain any (safety) errors.

    33. 33 CDP SPIN Tutorial - part I (X)Spin Architecture

    34. 34 CDP SPIN Tutorial - part I Xspin in a nutshell Xspin allows the user to edit Promela models (+ syntax check) simulate Promela models random interactive guided verify Promela models exhaustive bitstate hashing mode additional features Xspin suggest abstractions to a Promela model (slicing) Xspin can draw automata for each process LTL property manager Help system (with verification/simulation guidelines)

More Related