1 / 21

Spin Model Checker

Spin Model Checker. Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011. Common Design Flaws. Deadlock Livelock, Starvation Under-specification Over-specification Violation of Constraints Etc.

denton
Download Presentation

Spin Model Checker

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011

  2. Common Design Flaws • Deadlock • Livelock, Starvation • Under-specification • Over-specification • Violation of Constraints • Etc. • Most of the errors caused by these flaws can be detected by model checking.

  3. Model Checking and Spin • Model Checking: • Is an automated technique that, given a finite model of a system and a logical property, systematically checks whether this property holds for that model. • Spin is a well known classical model checker. • Aims towards concurrent systems • Only checks functional properties • Does not model real-time, but is capable of modeling timeouts. Abstract Verification Model Implementation Design abstraction refinement Model Checker

  4. Material which needs to be covered • Spin Architecture • We wont cover • JSpin • How to install • How to use it • Promela • Basic building blocks

  5. jSpin • Install • Create a directory for mingw, and install mingw in that directory. • Create separate directory for Jspin. Download executable for Jspin in directory, and run executable. • Running jSpin • -javaw –jar jSpin.jar (with optional Promela file). • Demo jspin

  6. jSpin • Check • Runs a syntax check. • Random • Runs a random simulation. • Interactive • Runs an interactive simulation. • Guided • Runs a guided simulation using the trail file created by the execution of the analyzer.

  7. Verification with jSpin • With LTL formulas: • formula must be converted to an automaton written as a Promela never claim. • Remember to do Translate. • Translated LTL formula's will be saved in a *.ltl file. • Original LTL formulas can be saved in*.prp.

  8. Verification with jSpin • Without LTL formulas: • Safety Properties • Using assertions • Acceptance cycles: • Testing for acceptance cycles is generally testing for the absence of unwanted infinite behavior. • Acceptance cycle is a cycle that infinitely often visits an acceptance state. • Non-Progress cycles: • Progress is the guarantee of wanted infinite behavior. • Non-progress cycle is a cycle that does not visit a progress state infinitely often.

  9. Promela • Promela consists of: • Processes • Describes the behavior of the system. • Channels • Define the environment in which the processes run. • Variables • Define the environment in which the processes run. • The scope of a variable is global if it is declared outside all process declarations, and local if it is declared within a process declaration.

  10. Promela • Statements in Promela: • Are all conditional: A statement will only be executed if the condition of its execution is satisfied. Hence: • Statement is either Executable or Blocked. Example: (a == b) is similar to While(a != b) { // Skip } • Promela cant have unbounded • Data, Channels, Processes, Process Creation.

  11. Promela-variables • Basic Types: • Bit • Bool • Byte • Short • Int • Arrays • Byte test[9] • Record • Typedef test {int test1, byte test2}

  12. Promela-variables • Message type mtype • mtype {int, byte} • Channels • chan toR = [6] of {mtype, bit} • Global Variables • Variables can be given values by: assignment, argument passing and message passing.

  13. Promela-processes • Processes • Can be created by run or active. • Can be created at any point. • Processes can interact via channels or global variables. • The run statement can pass parameter values of all basic data types to the new process. proctype P() { … } Init{ Int pid2 = run P(); } name execution number byte state; active [2] proctype P() { (state == 1) -> state = 3 } OR

  14. Promela- Advanced Topics • atomic: • Statements in atomic are executed as one indivisible unit, non-interleaved with any other processes. • d_step: • Similar to atomic • Does not save intermediate states • Can not contain non-determinism or blocking statements proctype P() { atomic{ (state==1) -> state = state+1 } }

  15. Promela-Statements • If-statement: • If more than one guard is satisfied, we have non- determinism. • If all guards are un-executable the process will block until at least one of them can be selected. • There is no restriction on the type of statements that can be used as a guard. if :: count = count + 1 :: count = count – 1 fi if :: (a >= b ) -> Stmt1 ; Stmt2 ; … :: (a < b ) -> Stmt3 ; Stmt4 ; … :: (a == b ) -> Stmt5 ; Stmt6 ; … :: else -> Stmt7 fi

  16. Promela-Statements • Do-statement • Same as if-statement, only in a while loop. do :: count = count + 1 :: count = count – 1 :: (count == 0) -> break od do :: (a >= b ) -> Stmt1 ; Stmt2 ; … :: (a < b ) -> Stmt3 ; Stmt4 ; … :: (a == b ) -> Stmt5 ; Stmt6 ; … :: else -> Stmt7 od

  17. Promela-Communication • Processes can communicate in two ways: • Global variables • Channels: • chan <name> = [<dim>] of {<type1>, <type2>, ..,<typen>} • Example: chantoR = [2] of {int, int} • Asynchronously : dimension > 0 • Synchronously : dimension = 0 • Actions: • Sending : ch ! <expr_1>, ..,<expr_n> • Receiving: ch ? var_1,..,var_n • If send and receive can not happen, process will block. toR!(1,5) ……. toR?(x1,x2)

  18. Promela-Statements • Special Statements: • goto • skip: same as 1 or true, • run • assert (<expr>) • check whether certain properties hold. Gives an error if violated.

  19. Promela- Advanced Topics • Timeout • Promela has no real-time features • The timeout statement can only be executed when no other statement in the system can be executed • Can help get out of deadlock • The timeout models a special condition that allows a process to abort the waiting for a condition that may never become true, e.g. an input from an empty channel. • Example: do :: guard1 -> Stmt1; … :: timeout -> break ;… od

  20. Conclusion • Spin is suitable for concurrent systems • Can not model time • JSpin is easy to install and use via the graphical interface • Promela is similar to C, therefore easy to cope with. • Beware of state explosion • Need basic knowledge of LTL.

  21. References • Spin official page • http://spinroot.com • Spin online tutorials • http://spinroot.com/spin/Man/index.html • Jspin • http://stwww.weizmann.ac.il/g-cs/benari/spin • Erigone • http://stwww.weizmann.ac.il/g-cs/benari/erigone

More Related