300 likes | 540 Views
SPIN Verification System. The Model Checker SPIN By Gerard J. Holzmann Comp 587 – 12/2/09 Eduardo Borjas – Omer Azmon. ☐. Overview. Example Live Demo Conclusion Q & A. Problem Solution Applications Structure. ☐. Problem. ☐. Problem: Today’s Problem With Design.
E N D
SPIN Verification System The Model Checker SPIN By Gerard J. Holzmann Comp 587 – 12/2/09 Eduardo Borjas – Omer Azmon ☐
Overview Example Live Demo Conclusion Q & A • Problem • Solution • Applications • Structure ☐
Problem ☐
Problem: Today’s Problem With Design • “Whether we like it or not, we often design software either by trial and error or by duplicating and modifying a piece of code that does something similar to what we want. This works fine for small applications, but fails miserably for large design projects or for critical code.”-Gerard J. Holzmann ☐
Problem: Deadly Embrace Get A Get B Rel A Rel B Get B Get A Rel B Rel A *Rel = Release ☐
Problem: Design Flaws • Deadlock • Livelock • Starvation • Overspecification • Unused code • Underspecification • Not all states are expected • Assumptions about Speed • Logic vs. real world
Problem: Distributed Process Software Testing • Complexity • Scale • Impractical • Equipment availability • Regression testing • Time • Timing in asynchronous processes • Testing all instances • Criticality ☐
Solution ☐
Solution: SPIN • “SPIN is an efficient verification system for models of distributed software systems” • SPIN Focuses on Process Interactions • Focus on Proving Correctness • The act of proving the correctness of an algorithm using formal methods of mathematics ☐
Solution: SPIN • SPIN Aims To Provide the Following: • An intuitive, program-like notation for specifying design choices unambiguously, without implementation detail. • A powerful, concise notation for expressing general correctness requirements. • A methodology for establishing the logical consistency of the design choices from 1) and the matching correctness requirements from 2). ☐
Solution: SPINOther Facts • SPIN Was Awarded the System Software Award by the ACM (2002) • Other award winners include UNIX, TeX, Smalltalk, TCP/IP, and Tcl/Tk • Tools Can Transfer Java or C Programs Into SPIN Models • Used By NASA, Bell Labs, and Lucent • Currently Taught at Caltech (CS 118, 119a-b, and 116) ☐
Applications • Traditional • Theoretical Studies • Empirical Studies (Search and Storage) • Practical • Flood Control (Computer Management Group) • Mission Critical Software (NASA) • Telephone Exchange (Bell Labs & Lucent) • Packet Switching • Railway Safety (Ansaldo and IRST) • Client Server Applications ☐
Applications • Practical • Process Scheduling • Leader Election • Flow Control • Multithreaded Programs ☐
Structure: SPIN • SPIN is Broken Into Two Parts: • Design Specification (PROMELA) • Correctness Claims (Linear Temporal Logic) • SPIN = Simple PromelaINterpreter LTL Parser & Translator 3. Verifier Generator Optimized Model Checker Executable On-The-Fly Verifier XSPIN Front-End PROMELA Parser 2. Interactive Simulation Counter-Examples 1. Syntax Error Reports ☐
Structure: PROMELA • Specification Language (Design) • PROtocolMEta Language • One or More User-Defined Process Templates • proctype definition • Each template defines the behavior of a process • A running process can instantiate another process ☐
Structure: PROMELA active proctype main() { printf("hello world\n") } ☐
Structure: Linear Temporal Logic • LTL Is An Extension of Propositional and Predicate Logic to Temporal Claims • SPIN Verification Relies on LTL to Make Claims About Models • Just like Symbolic Logic, LTL Can Be Isomophically Converted Into Finite State Diagrams Using Büchi Formulae
Example
Example: Peterson’s Mutual Exclusion (Critical Section) Algorithm S5 So flagme= 0 flagme= 1 S1 flagother == 0 || turn == other turn= me S2 flagother!= 0 && turn == me S3 S4 Critical Section
Example: Peterson’s Mutual Exclusion (Critical Section) Algorithm S5 So flagme= 0 bool turn, flag[2]; active [2] proctype user() { again: flag[_pid] = 1; turn = _pid; (flag[1 - _pid] == 0 || turn == 1 -_pid); /* Critical Section */ flag[_pid] = 0; goto again; } flagme= 1 S1 flagother == 0 || turn == other turn= me S2 flagother!= 0 && turn == me S3 S4 Critical Section
Example: Peterson’s Mutual Exclusion (Critical Section) Algorithm bool turn, flag[2]; byte ncrit; active [2] proctype user() { assert(_pid == 0 || __pid == 1); again: flag[_pid] = 1; turn = _pid; (flag[1 - _pid] == 0 || turn == 1 - _pid); ncrit++; assert(ncrit == 1); /* critical section */ ncrit--; flag[_pid] = 0; goto again; }
Conclusion • Problem • For complex problems, did the design actually cover all of our bases? • How can I test distributed software process models efficiently and cost-effectively? • Solution • SPIN formally proves temporal models mathematically • Easy to use
Information • Holzmann, G. J. (2009). Retrieved from Spin - Formal Verification: http://www.spinroot.com • Holzmann, G. J. (1997). The Model Checker SPIN. IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 23 (5). • Holzmann, G. J. (2006). The Spin Model Checker. Troy, NY: Addison Wesley. • Cimatti, A., Giunchiglia, F., et al. Model Checking Safety Critical Software with SPIN: an Application to a Railway Interlocking System. ☐
Questions & Answers Comp 587 – 12/2/09 Eduardo Borjas – Omer Azmon Thank You! ☐