1 / 16

Formal verification in SPIN

Formal verification in SPIN. Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999. Formal verification. Formal verification means using methods of mathematical argument to determine correctness of systems. Can be applied to hardware, software and other kinds of systems.

ermin
Download Presentation

Formal verification in SPIN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999

  2. Formal verification • Formal verification means using methods of mathematical argument to determine correctness of systems. • Can be applied to hardware, software and other kinds of systems. • Bugs are expensive when discovered in a finished product. Idea: use FV to discover bugs during the design phase.

  3. Model checkers • Model checkers are among the most widely used FV tools. • Human inspection is not effective: • Currently designed systems are too large • Concurrency, race conditions • Big verifications done by paper and pencil are hard to re-construct and re-check • Model checkers are good at doing massive (but often simple) case analyses.

  4. The BIG picture YES model description Model checker property NO + counterexample

  5. Spin • Developed in Bell Labs, starting in 1980. • Designed for verification of distributed systems. • Model descriptions need to be given in PROMELA (PROcess MEta LAnguage). • Properties are described in LTL (Linear Temporal Logic).

  6. PROMELA overview • A PROMELA program describes a set of concurrent processes. • Execution is asynchronous (each time only one process does a step), except in special cases (rendezvous message passing). • Processes can die or be created dynamically. • Processes can communicate through global variables and channels (message passing).

  7.  Each Promela program generates a unique state transition system.  Promela “instructions” correspond to state transitions. X=0 y=1 X=0 y=0 :: y==0 ->x=1; X=1 y=0 PROMELA example proctype Pr1 (){ do :: x==0 ->y=1; :: x==1 ->y=0; od; } proctype Pr2 (){ do :: y==0 ->x=1; :: y==1 ->x=0; od; } init { x=0; y=0; run Pr1(); run Pr2(); }

  8. PROMELA special features • Nondeterministic choice: if if :: g1 -> s1; :: (x>3) -> x--; :: g2 -> s2; :: true -> y=1; . . . :: y -> x=x+y; fi fi; At each step, execute one of the statements whose guard evaluates to true.

  9. PROMELA special features • Nondeterministic loop: do do :: g1 -> s1; :: (x>3) -> x--; :: g2 -> s2; :: true -> y=1; . . . :: y -> x=x+y; od od; Repeat, choosing nondeterministically at each step.

  10. PROMELA special features • Channel communication: chan c = [2] of {bit}; chan din = [0] of {byte}; chan dout = [1] of {byte}; Send a message m on channel c: c!m Receive a message from channel c: c?x din?v -> dout!(v+v); c?1 -> x++; dout!v -> skip;

  11. Other PROMELA features • Labels and goto statement • Types: bit, bool, byte, short,int • User-defined types • . . . More about PROMELA on the course webpage.

  12. LTL overview • Expresses properties dependent on time (temporal) • LTL formulas are evaluated on sequences of states (linear) • Standard predicate logic + temporal operators: [] = always <> = eventually

  13. LTL in practice • x is always strictly greater than y: [](x>y) • Eventually x becomes equal to 1: <>(x==1) • Eventually x becomes equal to 1 and never changes afterwards: <>[](x==1) • If at any moment x becomes negative, y will become negative at some later moment: []((x<0) ==> <>(y<0))

  14. LTL, formal definitions F ::= p (a state predicate, like (x>0) or (x!=y)) | F1 && F2 | F1 || F2 | !F | []F | <>F Given a sequence of states s = s(0), s(1), s(2), ...  s(i) satisfies []Fif for every j>=i, s(j) satisfies F.  s(i) satisfies <>F if for some j>=i, s(j) satisfies F. The whole sequence s satisfies Fif s(0) satisfies F.

  15. ... ... p p,!q !p !p,q p p,!q !p !p,q p p,!q !p !p,q LTL examples <>(!p) []p []<>p <>[]p + + - - + [](p||q) []<>q <>(p&&q) (<>p)&&(<>q) + - +

  16. LTL verification in Spin • Given a PROMELA program and an LTL formula, Spin checks whether all possible computation paths satisfy the formula. int a,b,d; init { bit ready=0; a=100; proctype Euclid (int x,y){ b=1; do do ::(x>y) -> x=x-y :: (b<a) -> b++ ::(y>x) -> y=y-x :: true -> goto enough :: (x==y)-> goto done od; od; enough: run Euclid(a,b)} done: ready=1; d=x } LTL: <>(ready && (a%d==0))

More Related