1 / 36

Introduction to Spin and Promela

Introduction to Spin and Promela. Sagar Chaki CMU. Roadmap. Historical perspective Overview of Spin Overview of Promela Simulation with Spin Overview of LTL Verification with Spin. Part III Overview of LTL. Basic concepts. Set of propositions: P P = {a,b,c}

yoland
Download Presentation

Introduction to Spin and Promela

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Spin and Promela Sagar Chaki CMU

  2. Roadmap • Historical perspective • Overview of Spin • Overview of Promela • Simulation with Spin • Overview of LTL • Verification with Spin

  3. Part III Overview of LTL

  4. Basic concepts • Set of propositions: P • P = {a,b,c} • Infinite trace t over P • t0,t1,t2, … • ti subset of P for i ≥ 0 • ti denotes infinite trace ti,ti+1, … • {b},{a,c},{},{a,b,c},{a}, … • Set of all infinite traces over P: G(P)

  5. LTL syntax • f := p proposition | true | false | (f) | f binop f | unop f

  6. LTL syntax • unop := [] always (G) | <> eventually (F) | X next time | ! logical negation • binop := U strong until | && logical AND | || logical OR | -> implication | <-> equivalence

  7. LTL semantics • An infinite trace t (over P) either satisfies or does not satisfy an LTL formula f (over P) • Satisfaction denoted by t²f

  8. LTL semantics • Given an infinite trace t = t0,t1,t2, … and a LTL formula f we can decide if t²f depending on the structure of f • t² p iff p belongs to t0 • Always t² true • Never t² false • t² (f) iff t²f

  9. LTL semantics • t² [] f iff ti²f forall i ≥ 0 • t² <> f iff exists i ≥ 0 s.t. ti²f • t² X f iff t1²f • t² !f iff NOT(t²f) • t²f1 U f2 iff exists i ≥ 0 s.t. tj²f1 for 0 ≤ j < i and ti²f2

  10. LTL semantics • t²f1 && f2 iff t²f1 AND t²f2 • t²f1 || f2 iff t²f1 OR t²f2 • t²f1 -> f2 iff t²f1 IMPLIES t²f2 • t²f1 <-> f2 iff t²f1 IFF t²f2

  11. LTL semantics • An LTL formula can also be looked at as the set of infinite traces that satisfy it • Note the striking similarity with the case of regular expressions and finite strings over an alphabet S • If S is the set of traces that satisfy f then G(P)\S is the set of traces that satisfy !f

  12. Examples • {a},{b},{a},{b}, … • [](a -> Xb) [](a <-> Xb) • [](b -> Xa) [](b <-> Xa) • [](a -> (b U a)) • [](a -> (a U b))

  13. Things to remember • Every LTL formula represents the set of infinite traces which satisfy it

  14. Buchi automata • Recall the similarity of LTL with regular expressions • Regular languages are accepted by finite automata • Are there automata for LTL • Turns out there are • They are called Buchi automata

  15. Buchi automata • Fix an alphabet S • Buchi automaton is a 4-tuple : <Q,I,d,F> • Q : set of states • I : initial state • d : transition relation: subset of QX S XQ • F : set of accepting states • In our case S is 2P

  16. b a S0 S1 I = S0 , F = {S0} Example

  17. Buchi automata • A run is an infinite sequence of state s0,s1,s2, … such that • s0 = I • Exists ai єS s.t. (si,ai,si+1) єd for i ≥ 0 • A run is an accepting run iff it visits some accepting state infinitely often

  18. Buchi automata • Given a run s = s0,s1,s2, …a trace t = t0,t1,t2, …is said to correspond to s iff (si,ti,si+1) єd for i ≥ 0 • The language of a Buchi automaton is the set of traces corresponding to its accepting runs • LTL also corresponds to a set of traces

  19. b a S0 S1 I = S0 , F = {S0} Example • Traces : {{a},{b},{a},{b},…}

  20. Cute results • BA are closed under complementation • For every Buchi automaton A there exists another Buchi automaton B such that the language of A is the complement of the language of B • Here complement means set difference from G(P)

  21. Cute results • BA are closed under intersection and union • Checking if the language of a Buchi automaton is empty is decidable • Can check if the langauges of two Buchi automata have a non-empty intersection

  22. Cute results • Buchi automata are not always determinisable • There exists a non-deterministic Buchi automaton A such that there is no deterministic Buchi automaton with the same language as A • Non-deterministic means some states have multiple outgoing transitions with same label

  23. Cute results • The set of languages accepted by Buchi automata is called the set of w-regular languages • This is a strict superset of LTL • Every LTL corresponds to some BA • There exists a BA whose language does not correspond to any LTL formula

  24. Things to remember • Every LTL formula represents the set of infinite traces which satisfy it • Every LTL formula has a corresponding Buchi automaton

  25. Kripke structure • Is a 4-tuple : <S,I,d,L> • S : set of states • I : initial state • d : transition relation: subset of S X S • L : labeling function : S -> 2P

  26. Computations and Traces • A computation is an infinite sequence of states s0,s1,s2, … • s0 = I • (si,si+1) єd for i ≥ 0 • Given a computation s0,s1,s2, … the corresponding trace is L(s0), L(s1), L(s2), …

  27. Kripke and Buchi • Kripke looks different from Buchi • Labels are on states not transitions • No accepting states • Nevertheless … • For every Kripke structure K there exists a Buchi automaton which accepts exactly the set of traces corresponding to computations of K

  28. Kripke to Buchi c a b S2 S0 S1 I = S0

  29. a c b S2 S0 S1 Kripke to Buchi

  30. a c b S2 S0 S1 Kripke to Buchi a S3 I = S3, F = {S0,S1,S2,S3}

  31. Things to remember • Every LTL formula represents the set of infinite traces which satisfy it • Every LTL formula has a corresponding Buchi automaton • Every Kripke structure has a corresponding Buchi automaton

  32. What do we really want? • Kripke (M) ² LTL (f) • Traces of M contained in traces of f • Language of Buchi of M contained in language of Buchi of f • Language of Buchi of M has empty intersection with language of Buchi of !f • This is decidable

  33. LTL model checking • Two ways to do it • Convert Kripke to Buchi • Convert claim (LTL) to Buchi • Check language inclusion OR • Convert ~Claim (LTL) to Buchi • Check empty intersection

  34. What Spin does • Checks non-empty intersection • Requires very little space in best case • Works directly with Promela • No conversion to Kripke or Buchi • Must provide Spin with negation of property you want to prove

  35. Time for example 5

  36. References • http://cm.bell-labs.com/cm/cs/what/spin/ • http://cm.bell-labs.com/cm/cs/what/spin/Man/Manual.html • http://cm.bell-labs.com/cm/cs/what/spin/Man/Quick.html

More Related