OOTI Workshop on Model Checking and Static Analysis
description
Transcript of OOTI Workshop on Model Checking and Static Analysis
OOTI Workshop onModel Checking and Static Analysis
Dragan Bošnački
Eindhoven University of Technology
The Netherlands
Some Practical Information
Lecturer:
Dragan Bošnački
WH 3.101 (BME), LaQuSo (CS)
Spin web page:
http://spinroot.com
Workshop web page:
http://www.win.tue.nl/~dragan/OOTI2009
Literature:
The Spin Model Checker by Gerard Holzmann, IEEE Trans. on Software Engineering, Vol. 23, No. 5, May 1997, pp. 279-295.
Outline for Today
• About the course
• Brief Introduction: Formal Methods, Model Checking, Spin
• A quick start with Spin: a Mutual Exclusion Protocol and The Pathfinder
• Study on-line documentation
• Exercises
Schedule
• Tuesday, 21/4, morning: lectures+exercises
• Wednesday, 22/4, morning: exercises, afternoon: lectures+excercises
• Thursday, 23/4, morning: lectures, afternoon: assignment 1
• Friday, 24/4, morning: lectures+exercises, afternoon: assignment2
• Monday, 27/4, morning: lectures, afternoon: working on assignment 2
• Tuesday, 28/4, afternoon: working on assignment 2
• (Wednesday, 29/4, afternoon: working on assignment 2)
Evaluation
Mark based on
• One smaller assignment (25%)
• Final assignment (75%)
Workshop Topics
• Formal Methods, Model Checking
• The Model Checker Spin
• The language Promela
• Verifying safety properties (assertions, deadlocks) with Spin
• Linear Temporal Logic, Buechi Automata
• Verifying liveness properties (LTL formulae) with Spin
• Hands-on exercises with Spin
• Extension of Spin with discrete time
• Advanced Static Analysis (“Syntactic” Model Checking)
• Principles of Static Analysis via Model Checking
• Hands-on exercises with UNO
Objectives of the Workshop (Model Checking)
At the end of the lectures the student:
• has a general picture about Model Checking
• has overview of Spin and Promela
• has a basic practical knowledge of Spin
• is able to write models in Promela
• is able to verify safety properties (assertions, deadlocks) with Spin
• knows the basics of Linear Temporal Logic
• has informal knowledge about Buechi automata
• is able to verify liveness properties expressed as LTL formulae with Spin
• knows the main advantages and drawbacks of Model Checking and Spin
Objectives of the Workshop (Static Analysis)
At the end of the lectures the student:
• has a general picture about Static Analysis
• Knows the basics of performing Static Analysis via Model Checking
• has a basic practical knowledge of UNO
• is able to check dynamic properties (e.g. race conditions, blocking)
Formal Methods
• The need for formal methods
• Every mature engineering discipline features– Abstraction
• “Modeling” (mathematical or executable models/design prototype)
– Analysis• “Model checking” (manual or automated)
• In hardware and software design– trial and error -- (testing, simulation), – duplication (adjusting earlier designs, peer review)
• Formal methods aim to replace the second set with the first set
• Good methodology and tools needed
Model Checking: The Glorious Side
• Honors and awards• Turing Award 2007
– E.M. Clarke, E.A. Emerson and J. Sifakis– ACM System Software Award
• SPIN, G.J. Holzmann– System Software Award
… and many others ACM and IEEE awards
But, Is It Really Used?
• Micorsoft– SDV, SLAM, Zink
• Bell Labs (AT&T, Alcatel-Lucent)– SPIN, COSPAN, FeaVer, VerySoft
• Siemens
• Intel
Migrating from academia to industry
“Still work to do before Software Model Checking for the masses”
(P. Godefroid)
What is Model Checking Good For?
• Model checking useful in safety critical systems– e.g. aviation industry, medical equipment, nuclear plants,
telecommunication
• Some Spin success stories– Storm surge barrier– Lucent PathStar phone switch– NASA mission critical software (Deep Space 1, Cassini, Mars
Exploration Rovers)
• With the proliferation of embedded software its importance will increase also in everyday’s applications
Slide by G.J. Holzmann
New Horizons
• Emerging parallel hardware technology – multi-core processors– general purpose graphics processing units (GPGPUs)
• Parallel programs notoriously difficult to write
• Excellent opportunity for model checking– Verification of new parallel technologies using the power of
these technologies
Model Checking
• Widespread technique for the debugging and verification of concurrent/reactive systems
• Relatively easy to use
Success due to:
• Similarity with programming
• Automation, speed, counter-examples
• Formality (striving after verification)
- Clear semantics of the model and the properties
Model Checking (2)
System satisfies p propertyS
Model M f Formal property
(Modeling Language)
(Temporal Logic)
State space explosion
- reduction techniques needed
Model Checking (3)
• Basically (almost) a brute force analysis of the model’s state space– by direct exploration (explicit)– by symbolic exploration
• The exploration in both cases is in principle exhaustive.
• We will deal mainly with direct (explicit state) model checking
Model Checking Applied in the Earlier Phases
analysis
requirements
specification
design
coding
testing
release
maintain
A Little Bit of History
• APPROVER– probably the first tool for automated verification of
concurrent systems– Written by Jan Hajek at TU/e ’77-’79
Approver Paper
Jan Hajek
Protocols Verified with Approver (1978)
Model Checking Tools
• SPIN – created by Gerard Holzmann in Bell Labs in the end of 80s
• Many other model checking tols– SMV, NuSMV, mCRL2, COSPAN, SLAM, BLAST, Zink, Java
PathFinder, Bandera, Bogor, Divine, …
Spin, Promela, Xspin
Process Global variable
Channel (buffered)
Channel (rendez-vous)
•Promela:
•C, CSP-like communications, Dijkstra’s guarded commands
•Spin
Two Computer Scientists
E.W. Dijkstra C.A.R. Hoare
Spin, Promela, Xspin (2)
• buffered and synchronous communication
• shared memory
• asynchronous and interleaved execution of statements
• no assumption on the execution speed of the statements
Spin, Promela, Xspin (4)
• Depth first search of the state space
• Verification of– safety (invalid end-states, assertions)– liveness (non-progress cycles)– never claims (Buechi automata, LTL)
• Xspin -graphical interface for Spin– various output formats (e.g. Message Sequence Charts)
Spin, Promela, XSpin (3)
C
compiler
SPIN
Analyzer
(exec)
Verification
output
Error
trail
Model
(Promela
source)
Simulation
output
Simulation:
random, interactive
guided
Analyzer
(C source)
Verification
Parallel Processes
Prog/Proc A:
Print A1;
Print A2
Prog/Proc B:
Print B1;
Print B2
Outcomes:
A1;A2;B1;B2
A1;B1;B2;A2
Parallel Processes
Proc A: Proc B:
X=1; Y = 0
Y=4 ;
X = X+Y
We want X == 5 after Proc A has ended
Solution:
Proc A: Proc B:
Block(Y);
X=1; Y = 0
Y=4 ;
X = X+Y;
Release(Y)
Parallel Processes
Proc A: Proc B:
X= … ; Y=… ;
Y=… ; X=… ;
Proc A: Proc B:
Block X; Block Y;
Block Y; Block X;
X= … ; Y=… ;
Y=… ; X=… ;
Release Y; Release X;
Release X Release Y
Parallel Processes
Proc A: Proc B:
Block X; Block Y;
Block Y; Block X;
X= … ; Y=… ;
Y=… ; X=… ;
Release Y; Release X;
Release X Release Y
Trouble – besides the “normal” execution
A: Block X; A: Block Y; A: Release Y; A: Release X; B: …
there is also a blocking one
A: Block X; B: Block Y; Deadlock!
Quick Start with Spin
• A Mutual Exclusion Protocol
• Mars Pathfinder
Reduction Techniques
• Tackling the state-explosion problem– Partial Order Reduction– Approximation Techniques (Bit-State Hashing, Hash
Compact)– Abstractions– Symbolic Techniques (Minimized Automaton)
Partial Order Reduction
Proc A || B
s0
s1
s2
Proc A
a1
a2
r0
r1
r2
Proc B
b1
b2s0r1
s1r1 s0r2
s1r2
a2
a2
a1
a1
b1
b1 b2
b2
s0r0
s2r0
s1r0
s2r1
s2r2
a2
a1
b1
b2
s0r0
s2r0
s1r0
s2r1
s2r2
a2
a1
b1
b2