350 likes | 518 Views
OOTI Workshop on Model Checking and Static Analysis. Dragan Bošnački Eindhoven University of Technology The Netherlands. Some Practical Information. Lecturer: Dragan Bošnački WH 3.101 (BME), LaQuSo (CS) dragan@win.tue.nl D.Bosnacki@tue.nl Spin web page: http://spinroot.com
E N D
OOTI Workshop onModel Checking and Static Analysis Dragan Bošnački Eindhoven University of Technology The Netherlands
Some Practical Information • Lecturer: • Dragan Bošnački • WH 3.101 (BME), LaQuSo (CS) • dragan@win.tue.nl • D.Bosnacki@tue.nl • Spin web page: • http://spinroot.com • Workshop web page: • http://www.win.tue.nl/~dragan/OOTI2009 • Literature: • The Spin Model Checker by Gerard Holzmann, IEEE Trans. on Software Engineering, Vol. 23, No. 5, May 1997, pp. 279-295.
Outline for Today • About the course • Brief Introduction: Formal Methods, Model Checking, Spin • A quick start with Spin: a Mutual Exclusion Protocol and The Pathfinder • Study on-line documentation • Exercises
Schedule • Tuesday, 21/4, morning: lectures+exercises • Wednesday, 22/4, morning: exercises, afternoon: lectures+excercises • Thursday, 23/4, morning: lectures, afternoon: assignment 1 • Friday, 24/4, morning: lectures+exercises, afternoon: assignment2 • Monday, 27/4, morning: lectures, afternoon: working on assignment 2 • Tuesday, 28/4, afternoon: working on assignment 2 • (Wednesday, 29/4, afternoon: working on assignment 2)
Evaluation • Mark based on • One smaller assignment (25%) • Final assignment (75%)
Workshop Topics • Formal Methods, Model Checking • The Model Checker Spin • The language Promela • Verifying safety properties (assertions, deadlocks) with Spin • Linear Temporal Logic, Buechi Automata • Verifying liveness properties (LTL formulae) with Spin • Hands-on exercises with Spin • Extension of Spin with discrete time • Advanced Static Analysis (“Syntactic” Model Checking) • Principles of Static Analysis via Model Checking • Hands-on exercises with UNO
Objectives of the Workshop (Model Checking) • At the end of the lectures the student: • has a general picture about Model Checking • has overview of Spin and Promela • has a basic practical knowledge of Spin • is able to write models in Promela • is able to verify safety properties (assertions, deadlocks) with Spin • knows the basics of Linear Temporal Logic • has informal knowledge about Buechi automata • is able to verify liveness properties expressed as LTL formulae with Spin • knows the main advantages and drawbacks of Model Checking and Spin
Objectives of the Workshop (Static Analysis) • At the end of the lectures the student: • has a general picture about Static Analysis • Knows the basics of performing Static Analysis via Model Checking • has a basic practical knowledge of UNO • is able to check dynamic properties (e.g. race conditions, blocking)
Formal Methods • The need for formal methods • Every mature engineering discipline features • Abstraction • “Modeling” (mathematical or executable models/design prototype) • Analysis • “Model checking” (manual or automated) • In hardware and software design • trial and error -- (testing, simulation), • duplication (adjusting earlier designs, peer review) • Formal methods aim to replace the second set with the first set • Good methodology and tools needed
Model Checking: The Glorious Side • Honors and awards • Turing Award 2007 • E.M. Clarke, E.A. Emerson and J. Sifakis • ACM System Software Award • SPIN, G.J. Holzmann • System Software Award • … and many others ACM and IEEE awards
But, Is It Really Used? • Micorsoft • SDV, SLAM, Zink • Bell Labs (AT&T, Alcatel-Lucent) • SPIN, COSPAN, FeaVer, VerySoft • Siemens • Intel • Migrating from academia to industry • “Still work to do before Software Model Checking for the masses” • (P. Godefroid)
What is Model Checking Good For? • Model checking useful in safety critical systems • e.g. aviation industry, medical equipment, nuclear plants, telecommunication • Some Spin success stories • Storm surge barrier • Lucent PathStar phone switch • NASA mission critical software (Deep Space 1, Cassini, Mars Exploration Rovers) • With the proliferation of embedded software its importance will increase also in everyday’s applications
New Horizons • Emerging parallel hardware technology • multi-core processors • general purpose graphics processing units (GPGPUs) • Parallel programs notoriously difficult to write • Excellent opportunity for model checking • Verificationof new parallel technologies using the power of these technologies
Model Checking • Widespread techniquefor the debugging and verification of concurrent/reactive systems • Relatively easy to use • Success due to: • Similarity with programming • Automation, speed, counter-examples • Formality (striving after verification) • - Clear semantics of the model and the properties
satisfies p property System S Model M f Formal property (Modeling Language) (Temporal Logic) Model Checking (2) State space explosion - reduction techniques needed
Model Checking (3) • Basically (almost) a brute force analysis of the model’s state space • by direct exploration (explicit) • by symbolic exploration • The exploration in both cases is in principle exhaustive. • We will deal mainly with direct (explicit state) model checking
Model Checking Applied in the Earlier Phases analysis requirements specification design coding testing release maintain
A Little Bit of History • APPROVER • probably the first tool for automated verification of concurrent systems • Written by Jan Hajek at TU/e ’77-’79
Model Checking Tools • SPIN • created by Gerard Holzmann in Bell Labs in the end of 80s • Many other model checking tols • SMV, NuSMV, mCRL2, COSPAN, SLAM, BLAST, Zink, Java PathFinder, Bandera, Bogor, Divine, …
Spin, Promela, Xspin • Spin Process Global variable Channel (buffered) Channel (rendez-vous) • Promela: • C, CSP-like communications, Dijkstra’s guarded commands
Two Computer Scientists • E.W. Dijkstra C.A.R. Hoare
Spin, Promela, Xspin (2) • buffered and synchronous communication • shared memory • asynchronous and interleaved execution of statements • no assumption on the execution speed of the statements
Spin, Promela, Xspin (4) • Depth first search of the state space • Verification of • safety (invalid end-states, assertions) • liveness (non-progress cycles) • never claims (Buechi automata, LTL) • Xspin -graphical interface for Spin • various output formats (e.g. Message Sequence Charts)
Simulation: random, interactive Simulation output guided Model (Promela source) SPIN Error trail Verification Analyzer (C source) C compiler Analyzer (exec) Verification output Spin, Promela, XSpin (3)
Parallel Processes • Prog/Proc A: • Print A1; • Print A2 • Prog/Proc B: • Print B1; • Print B2 Outcomes: A1;A2;B1;B2 A1;B1;B2;A2
Parallel Processes • Proc A: Proc B: • X=1; Y = 0 • Y=4 ; • X = X+Y We want X == 5 after Proc A has ended Solution: Proc A: Proc B: Block(Y); X=1; Y = 0 Y=4 ; X = X+Y; Release(Y)
Parallel Processes • Proc A: Proc B: • X= … ; Y=… ; • Y=… ; X=… ; Proc A: Proc B: Block X; Block Y; Block Y; Block X; X= … ; Y=… ; Y=… ; X=… ; Release Y; Release X; Release X Release Y
Parallel Processes Proc A: Proc B: Block X; Block Y; Block Y; Block X; X= … ; Y=… ; Y=… ; X=… ; Release Y; Release X; Release X Release Y Trouble – besides the “normal” execution A: Block X; A: Block Y; A: Release Y; A: Release X; B: … there is also a blocking one A: Block X; B: Block Y;Deadlock!
Quick Start with Spin • A Mutual Exclusion Protocol • Mars Pathfinder
Reduction Techniques • Tackling the state-explosion problem • Partial Order Reduction • Approximation Techniques (Bit-State Hashing, Hash Compact) • Abstractions • Symbolic Techniques (Minimized Automaton)
Proc B Proc A s0 s0r0 s0r0 r0 a1 b1 b1 a1 a1 s1 a2 r1 b2 s0r1 s1r0 s1r0 a1 b2 a2 a2 b1 s2 r2 s0r2 s1r1 s2r0 s2r0 a1 b2 b1 b1 a2 s1r2 s2r1 s2r1 a2 b2 b2 s2r2 s2r2 Partial Order Reduction Proc A || B