1 / 24

S PIN Search Algorithm

Explore the depth-first search algorithm for safety and liveness property checking in the SPIN model checker. Learn how to systematically verify properties of PROMELA models and ensure correctness. Understand the use of stack and state space in the algorithm.

idap
Download Presentation

S PIN Search Algorithm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SPIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9th Nov 2007 SPIN Search Algorithm

  2. Contents • Introduction • Checking Safety Properties • Checking Liveness Properties • Adding Fairness • Further work SPIN Search Algorithm

  3. Introduction 1/1 • A global reachability graph A={S, s0, L, T, F} is generated by PROMELA semantic engine. • Global reachability graph A captures the behavior of asynchronous execution of processes A1 … Ak. • Verify correctness properties of PROMELA models. • Checking Safety properties • Checking Liveness properties SPIN Search Algorithm

  4. Checking Safety Properties 1/7 • Depth-first search algorithm systematically visitsevery reachable state. • By depth-first searching, safety properties such as deadlock state, progress assertions, and system invariant that should hold at some state s can be checked. • A stack and a state space are used in the algorithm. SPIN Search Algorithm

  5. Checking Safety Properties 2/7 1 Stack D = {} ; Statespace V = {} 2 Start() { 3 Add_Statespace(V, A.s0) ; 4 Push_Stack(D, A.s0) ; 5 Search() ; 6 } 7 Search() { 8 s = Top_Stack(D) ; 9 foreach (s,l,s’) 2 A.T 10 if In_Statespace(V, s’) == false { 11 Add_Statespace(V, s’) 12 Push_Stack(D, s’) 13 Search() 14 } 15 Pop_Stack(D) 16 } Basic Depth-First Search Algorithm SPIN Search Algorithm

  6. Checking Safety Properties 3/7 1 Stack D = {} ; Statespace V = {} 2 Start() { 3 Add_Statespace(V, A.s0) ; 4 Push_Stack(D, A.s0) ; 5 Search() ; 6 } 7 Search() { 8 s = Top_Stack(D) ; 9 if (!Safety(s)) Print_Stack(D) ; 10 foreach (s,l,s’) 2 A.T 11 if In_Statespace(V, s’) == false { 12 Add_Statespace(V, s’) ; 13 Push_Stack(D, s’) ; 14 Search() ; 15 } 16 Pop_Stack(D) ; 17 } Extended Algorithm for Checking Safety Properties SPIN Search Algorithm

  7. Checking Safety Properties 4/7 • We can adopt the depth-first search algorithms easily into depth-limited search to guarantees coverage up to a given depth bound. S0 S1 Depth-limit is 2 S2 e • Store the depth value together with each state in • statespace V. SPIN Search Algorithm

  8. Checking Safety Properties 5/7 1 Stack D = {} ; Statespace V = {} 2 Start() { 3 Add_Statespace(V, A.s0) ; 4 Push_Stack(D, A.s0) ; 5 Search() ;} 6 Search() { 7 if (Depth >= BOUND) return ; 8 Depth++ ; 9 s = Top_Stack(D) ; 10 if !Safety(s) Print_Stack(D) ; 11 foreach (s,l,s’) 2 A.T 12 if In_Statespace(V, s’, Depth) == false { 13 Add_Statespace(V, s’, Depth) 14 Push_Stack(D, s’) 15 Search() } 17 Pop_Stack(D) ; 18 Depth-- ; 19 } Depth-Limited Search Depth for each state visiting is store in state space if pan.c is compiled with DREACH option. SPIN Search Algorithm

  9. Checking Safety Properties 6/7 1 Stack D = {} ; 2 Start() { 3 Push_Stack(D, A.s0,0) ; 4 Search() ; 5 } 6 Search() { 7 s = Top_Stack(D) ; 8 if (!Safety(s)) { 9 Print_Stack(D) ; 10 if (iterative) BOUND = DEPTH ; 11 } 12 foreach (s,l,s’) 2 A.T 13 if (In_Stack(D, s’) == false) { 14 Push_Stack(D, s’) ; 15 Search() ; 16 } 17 Pop_Stack(D); 18 } Stateless Search SPIN Search Algorithm

  10. Checking Safety Properties 7/7 1 Queue D = {} ; Statespace V={} ; 2 Start() { 3 Add_Statespace(V, A.s0) ; 4 Push_Stack(D, A.s0) ; 5 Search() ; 6 } 7 Search() { 8 while (Empty_Queue(D) == false) { 9 s = Del_Queue(D) ; 10 foreach (s,1,s') 2 A.T { 11 if (In_Statespace(V, s') == false) { 12 Add_Statespace(V, s') ; 13 Add_Queue(D, s') ; 14 } 15 } 16 } 17 } Breath-First Search Algorithm • Pros • - Guarantee the shortest possible error • Cons • - Additional work is necessary for • error trace generation • - Hard to extend beyond safety • properties SPIN Search Algorithm

  11. Checking Liveness Properties 1/5 • We can only have an infinite run in a finite system if the run is cyclic. • We are particularly interested in case where the set of states that are reached infinitely often contains one or more accepting states since these runs correspond to ! accepting run. • An accepting cycle in the global reachability graph exists if and only if • At least one accepting state is reachable from initial state. • At least one of those accepting state is reachable from itself.  Use nested depth-first search algorithm for liveness properties checking. c.f. In synchronous product of automaton A = A1­ A2 … A.F is the set of pairs (s1, s2) ∈ A.S where s1 ∈ A1.F or s2 ∈ A2.F SPIN Search Algorithm

  12. Checking Liveness Properties 2/5 • Depth-first search determines that an accepting state has been reached, and all successors of that state have also been explored, it starts a nested search to see if the state is reachable from itself.  Nested search in post-order • Store a copy of the accepting state in a global, called seed. • Store pairs of a state and a boolean variable toggle for stack and state space elements. SPIN Search Algorithm

  13. Checking Liveness Properties 3/5 • Stack D = {} ; • Statespace V = {} ; • State seed = nil ; • Boolean toggle = false ; • Start() { 6 Add_Statespace(V, A.s0, toggle) ; 7 Push_Stack(D, A.s0, toggle) ; • Search() ; • } 10 Search() { 11 (s, toggle) = Top_Stack(D) ; 12 foreach (s, l, s’) 2 A.T { 13 if (toggle == true) { 14 if (s’ == seed || On_Stack(D, s’, false) { 15 PrintStack(D) ; 16 PopStack(D) ; 17 return ; } 18 } // end of if (toggle == true) SPIN Search Algorithm

  14. Checking Liveness Properties 4/5 19 if (In_Statespace(V, s’, toggle) == false) { 20 Add_Statespace(V, s’, toggle) ; 21 Push_Stack(D, s’, toggle) ; 22 Search() ; 23 } 24 } // end of foreach 25 if (s 2 A.F && toggle == false) { 26 seed = s ; 27 toggle = true ; 28 Push_Stack(D, s, toggle) ; 29 Search() ; 30 Pop_Stack() ; 31 seed = nil ; 32 toggle = false ; 33 } // end of if 34 Pop_Stack(D) ; 35 } // end of Search() ; SPIN Search Algorithm

  15. Checking Liveness Properties 5/5 • In nested search, if a successor was visited with toggle value true then it does not explore that successor. - Nested searching is excuted in post-order - Za is seed accepting state - Ze is a successor with toggle value true - Zn is an accepting state from which Ze was reachable. Zn Ze Za SPIN Search Algorithm

  16. Adding Fairness1/8 • What will be the result from SPIN ? bit a = 0 ; active proctype A() { do :: a = 0 ; od ; } active proctype B() { do :: a = 1 ; od ; } never { accept_init: T0_init: if :: (!a) -> goto T0_init ; fi ; } -bash-3.1$ ./a.out -a warning: for p.o. reduction to be valid the never claim must be stutter-invariant (never claims generated from LTL formulae are stutter-invariant) pan: acceptance cycle (at depth 0) pan: wrote fairness.pml.trail (Spin Version 4.2.7 -- 23 June 2006) : : -bash-3.1$ spin -t -p fairness.pml Starting A with pid 0 Starting B with pid 1 Starting :never: with pid 2 <<<<<START OF CYCLE>>>>> Never claim moves to line 23 [(!(a))] 2: proc 0 (A) line 7 "fairness.pml" (state 1) [a = 0] spin: trail ends after 2 steps SPIN Search Algorithm

  17. Adding Fairness 2/8 Strong Fairness An !-run ¾ satisfies the strong fairness requirement if it contains infinitely many transitions from every component automaton that is enabled infinitely often in ¾. Weak Fairness An !-run ¾ satisfies the weak fairness requirement if it contains infinitely many transitions from every component automaton that is enabled infinitely long in ¾. * Component automaton Ai is said to be enabled at state s of global automaton A if s has at least one valid outgoing transition from Ai. SPIN Search Algorithm

  18. Adding Fairness 3/8 • Chouseka’s flag construction method • SPIN only checks weak fairness of components. • For a global reachability graph A which is product of k component automaton A1, A2, … Ak. (1)Create k+2 copies(0 to k+1) of the global reachability graph. (2)Preserve the acceptance labels only in the 0-th copy and remove the accepting labels from all states in the remaining copies. (3)Change the destination states for all outgoing transitions of accepting states in 0-th copy to point to the same states in the 1-st copy. (4)In the i-th copy(1 · i · k), change the destination of each transition that was contributed by component automaton Ai to the same state in the (i+1)-th copy. (5)For k+1-th copy, change all transitions such that their destination state is now in the 0-th copy. (6) Add null transition from every state s in i-th copy (1 · i · k) to the same state in the (i+1)-th copy whenever automaton component i has no enabled transitions in s. SPIN Search Algorithm

  19. Adding Fairness 4/8 _pid  2 _pid  1 _pid = k _pid = 1 _pid = 1..k _pid = 2 _pid = 1..k copy0 copy1 copy2 copy k+1 (k + 2) Times Unfolded State Space for Weak Fairness SPIN Search Algorithm

  20. Adding Fairness 5/8 • These changes do not add or remove behavior but it should be clear that any accepting !–run in (k+2) times unfolded state space now necessarily includes transitions from all k component automata. • Nested depth-first search can be used to detect all fair accepting runs in the original graph. • This algorithm can enforce weak fairness. • In SPIN implementation, each state holds 2(k+2) additional bits to represent (k+2) copies of global reachability graph. SPIN Search Algorithm

  21. Adding Fairness 6/8 bit a = 0 ; active proctype A() /* pid=1 */ { do :: (a == 0) -> accept: a = 1 ; od ; } active proctype B() /* pid=2 */ { do :: (a == 1) -> a = 0 ; od ; } S1 a=0 pid=2 pid=1 S2 a=1 SPIN Search Algorithm

  22. Adding Fairness 7/8 copy 0 copy1 copy2 copy3 S01 S11 S21 S31 S12 S22 S32 S02 SPIN Search Algorithm

  23. Adding Fairness 8/8 • add weak fairness (-f option of ‘pan’) bit a = 0 ; active proctype A() { do :: a = 0 ; od ; } active proctype B() { do :: a = 1 ; od ; } never { accept_init: T0_init: if :: (!a) -> goto T0_init ; fi ; } ./a.out -f -a warning: for p.o. reduction to be valid the never claim must be stutter-invariant (never claims generated from LTL formulae are stutter-invariant) (Spin Version 4.2.7 -- 23 June 2006) + Partial Order Reduction Full statespace search for: never claim + assertion violations + (if within scope of claim) acceptance cycles + (fairness enabled) invalid end states - (disabled by never claim) SPIN Search Algorithm

  24. Further Works • Search Optimization (Ch. 9) • Partial Order Reduction, Bitstate Hashing, State Compressions, etc. SPIN Search Algorithm

More Related