OOTI Workshop onModel Checking and Static Analysis

Dragan Bošnački

Eindhoven University of Technology

The Netherlands

Some Practical Information

Lecturer:

Dragan Bošnački

WH 3.101 (BME), LaQuSo (CS)

dragan@win.tue.nl

D.Bosnacki@tue.nl

Spin web page:

http://spinroot.com

Workshop web page:

http://www.win.tue.nl/~dragan/OOTI2009

Literature:

The Spin Model Checker by Gerard Holzmann, IEEE Trans. on Software Engineering, Vol. 23, No. 5, May 1997, pp. 279-295.

Outline for Today

• About the course

• Brief Introduction: Formal Methods, Model Checking, Spin 

• A quick start with Spin: a Mutual Exclusion Protocol and  The Pathfinder

• Study on-line documentation

• Exercises

Schedule

• Tuesday, 21/4, morning: lectures+exercises

• Wednesday, 22/4, morning: exercises, afternoon: lectures+excercises

• Thursday, 23/4, morning: lectures, afternoon: assignment 1

• Friday, 24/4, morning: lectures+exercises, afternoon: assignment2

• Monday, 27/4, morning: lectures, afternoon: working on assignment 2

• Tuesday, 28/4, afternoon: working on assignment 2

• (Wednesday, 29/4, afternoon: working on assignment 2)

Evaluation

Mark based on

• One smaller assignment (25%)

• Final assignment (75%)

Workshop Topics

• Formal Methods, Model Checking

• The Model Checker Spin

• The language Promela

• Verifying safety properties (assertions, deadlocks) with Spin

• Linear Temporal Logic, Buechi Automata

• Verifying liveness properties (LTL formulae) with Spin

• Hands-on exercises with Spin

• Extension of Spin with discrete time

• Advanced Static Analysis (“Syntactic” Model Checking)

• Principles of Static Analysis via Model Checking

• Hands-on exercises with UNO

Objectives of the Workshop (Model Checking)

At the end of the lectures the student:

• has a general picture about Model Checking

• has overview of Spin and Promela

• has a basic practical knowledge of Spin

• is able to write models in Promela

• is able to verify safety properties (assertions, deadlocks) with Spin

• knows the basics of Linear Temporal Logic

• has informal knowledge about Buechi automata

• is able to verify liveness properties expressed as LTL formulae with Spin

• knows the main advantages and drawbacks of Model Checking and Spin

Objectives of the Workshop (Static Analysis)

At the end of the lectures the student:

• has a general picture about Static Analysis

• Knows the basics of performing Static Analysis via Model Checking

• has a basic practical knowledge of UNO

• is able to check dynamic properties (e.g. race conditions, blocking)

Formal Methods

• The need for formal methods

• Every mature engineering discipline features– Abstraction

• “Modeling” (mathematical or executable models/design prototype)

– Analysis• “Model checking” (manual or automated)

• In hardware and software design– trial and error -- (testing, simulation), – duplication (adjusting earlier designs, peer review)

• Formal methods aim to replace the second set with the first set

• Good methodology and tools needed

Model Checking: The Glorious Side

• Honors and awards• Turing Award 2007

– E.M. Clarke, E.A. Emerson and J. Sifakis– ACM System Software Award

• SPIN, G.J. Holzmann– System Software Award

… and many others ACM and IEEE awards

But, Is It Really Used?

• Micorsoft– SDV, SLAM, Zink

• Bell Labs (AT&T, Alcatel-Lucent)– SPIN, COSPAN, FeaVer, VerySoft

• Siemens

• Intel

Migrating from academia to industry

“Still work to do before Software Model Checking for the masses”

(P. Godefroid)

What is Model Checking Good For?

• Model checking useful in safety critical systems– e.g. aviation industry, medical equipment, nuclear plants,

telecommunication

• Some Spin success stories– Storm surge barrier– Lucent PathStar phone switch– NASA mission critical software (Deep Space 1, Cassini, Mars

Exploration Rovers)

• With the proliferation of embedded software its importance will increase also in everyday’s applications

Slide by G.J. Holzmann

New Horizons

• Emerging parallel hardware technology – multi-core processors– general purpose graphics processing units (GPGPUs)

• Parallel programs notoriously difficult to write

• Excellent opportunity for model checking– Verification of new parallel technologies using the power of

these technologies

Model Checking

• Widespread technique for the debugging and verification of concurrent/reactive systems

• Relatively easy to use

Success due to:

• Similarity with programming

• Automation, speed, counter-examples

• Formality (striving after verification)

- Clear semantics of the model and the properties

Model Checking (2)

System satisfies p propertyS

Model M f Formal property

(Modeling Language)

(Temporal Logic)

State space explosion

- reduction techniques needed

Model Checking (3)

• Basically (almost) a brute force analysis of the model’s state space– by direct exploration (explicit)– by symbolic exploration

• The exploration in both cases is in principle exhaustive.

• We will deal mainly with direct (explicit state) model checking

Model Checking Applied in the Earlier Phases

analysis

requirements

specification

design

coding

testing

release

maintain

A Little Bit of History

• APPROVER– probably the first tool for automated verification of

concurrent systems– Written by Jan Hajek at TU/e ’77-’79

Approver Paper

Jan Hajek

Protocols Verified with Approver (1978)

Model Checking Tools

• SPIN – created by Gerard Holzmann in Bell Labs in the end of 80s

• Many other model checking tols– SMV, NuSMV, mCRL2, COSPAN, SLAM, BLAST, Zink, Java

PathFinder, Bandera, Bogor, Divine, …

Spin, Promela, Xspin

Process Global variable

Channel (buffered)

Channel (rendez-vous)

•Promela:

•C, CSP-like communications, Dijkstra’s guarded commands

•Spin

Two Computer Scientists

E.W. Dijkstra C.A.R. Hoare

Spin, Promela, Xspin (2)

• buffered and synchronous communication

• shared memory

• asynchronous and interleaved execution of statements

• no assumption on the execution speed of the statements

Spin, Promela, Xspin (4)

• Depth first search of the state space

• Verification of– safety (invalid end-states, assertions)– liveness (non-progress cycles)– never claims (Buechi automata, LTL)

• Xspin -graphical interface for Spin– various output formats (e.g. Message Sequence Charts)

Spin, Promela, XSpin (3)

C

compiler

SPIN

Analyzer

(exec)

Verification

output

Error

trail

Model

(Promela

source)

Simulation

output

Simulation:

random, interactive

guided

Analyzer

(C source)

Verification

Parallel Processes

Prog/Proc A:

Print A1;

Print A2

Prog/Proc B:

Print B1;

Print B2

Outcomes:

A1;A2;B1;B2

A1;B1;B2;A2

Parallel Processes

Proc A: Proc B:

X=1; Y = 0

Y=4 ;

X = X+Y

We want X == 5 after Proc A has ended

Solution:

Proc A: Proc B:

Block(Y);

X=1; Y = 0

Y=4 ;

X = X+Y;

Release(Y)

Parallel Processes

Proc A: Proc B:

X= … ; Y=… ;

Y=… ; X=… ;

Proc A: Proc B:

Block X; Block Y;

Block Y; Block X;

X= … ; Y=… ;

Y=… ; X=… ;

Release Y; Release X;

Release X Release Y

Parallel Processes

Proc A: Proc B:

Block X; Block Y;

Block Y; Block X;

X= … ; Y=… ;

Y=… ; X=… ;

Release Y; Release X;

Release X Release Y

Trouble – besides the “normal” execution

A: Block X; A: Block Y; A: Release Y; A: Release X; B: …

there is also a blocking one

A: Block X; B: Block Y; Deadlock!

Quick Start with Spin

• A Mutual Exclusion Protocol

• Mars Pathfinder

Reduction Techniques

• Tackling the state-explosion problem– Partial Order Reduction– Approximation Techniques (Bit-State Hashing, Hash

Compact)– Abstractions– Symbolic Techniques (Minimized Automaton)

Partial Order Reduction

Proc A || B

s0

s1

s2

Proc A

a1

a2

r0

r1

r2

Proc B

b1

b2s0r1

s1r1 s0r2

s1r2

a2

a2

a1

a1

b1

b1 b2

b2

s0r0

s2r0

s1r0

s2r1

s2r2

a2

a1

b1

b2

s0r0

s2r0

s1r0

s2r1

s2r2

a2

a1

b1

b2