Spin Slides

8/2/2019 Spin Slides

1/21

1

Spin Model Checker

Samaneh Navabpour

Electrical and Computer Engineering Department

University of WaterlooSE-464

Summer 2011


2/21

2

Common Design Flaws

Deadlock

Livelock, Starvation

Under-specification

Over-specification

Violation of Constraints

Etc. Most of the errors caused by these flaws can be

detected by model checking.


3/21

3

Model Checking and Spin

Model Checking: Is an automated technique that, given a finite model of a system and

a logical property, systematically checks whether this property holds

for that model.

Spin is a well known classical model checker. Aims towards concurrent systems

Only checks functional properties

Does not model real-time, but is capable of modeling timeouts.

DesignAbstract Verification

ModelImplementation

Model Checker

abstraction refinement


4/21

4

Material which needs to be covered

Spin Architecture

We wont cover

JSpin

How to install

How to use it

Promela

Basic building blocks


5/21

5

jSpin

Install

Create a directory for mingw, and install mingw in thatdirectory.

Create separate directory for Jspin. Download executablefor Jspin in directory, and run executable.

Running jSpin

-javaw

jar jSpin.jar (with optional Promela file). Demo jspin


6/21

6

jSpin

Check Runs a syntax check.

Random

Runs a random simulation. Interactive

Runs an interactive simulation.

Guided Runs a guided simulation using the trail file created by the

execution of the analyzer.


7/21

Verification with jSpin

With LTL formulas: formula must be converted to an automaton written as a

Promela never claim.

Remember to do Translate.

Translated LTL formula's will be saved in a *.ltl file.

Original LTL formulas can be saved in*.prp.

7


8/21

Verification with jSpin

Without LTL formulas: Safety Properties

Using assertions

Acceptance cycles: Testing for acceptance cycles is generally testing for the absence of

unwanted infinite behavior.

Acceptance cycle is a cycle that infinitely often visits an acceptancestate.

Non-Progress cycles: Progress is the guarantee of wanted infinite behavior.

Non-progress cycle is a cycle that does not visit a progress stateinfinitely often.

8


9/21

Promela

Promela consists of:

Processes Describes the behavior of the system.

Channels Define the environment in which the processes run.

Variables Define the environment in which the processes run.

The scope of a variable is global if it is declared outside allprocess declarations, and local if it is declared within aprocess declaration.

9


10/21

10

Promela

Statements in Promela: Are all conditional: A statement will only be executed if the

condition of its execution is satisfied. Hence: Statement is either Executable or Blocked.

Example: (a == b) is similar to

While(a != b)

{

// Skip

}

Promela cant have unbounded Data, Channels, Processes, Process Creation.


11/21

11

Promela-variables

Basic Types:

Bit

Bool

Byte Short

Int

Arrays

Byte test[9] Record

Typedef test {int test1, byte test2}


12/21

12

Promela-variables

Message type mtype

mtype {int, byte}

Channels

chan toR = [6] of {mtype, bit}

Global Variables

Variables can be given values by: assignment,argument passing and message passing.


13/21

13

Promela-processes

Processes

Can be created by run or active.

Can be created at any point. Processes can interact via channels or global variables.

The run statement can pass parameter values of all basic datatypes to the new process.

byte state;active [2] proctype P() {

(state == 1) -> state = 3}

namenumberexecution proctype P() {

}

Init{Int pid2 = run P();}

OR


14/21

14

Promela- Advanced Topics

atomic:

Statements in atomic are executed as one indivisible unit, non-interleaved with any other processes.

d_step:

Similar to atomic Does not save intermediate states

Can not contain non-determinism or blocking statements

proctype P(){ atomic{

(state==1) -> state = state+1}

}


15/21

15

Promela-Statements

If-statement:

If more than one guard is satisfied, we have non-determinism.

If all guards are un-executable the process will block until atleast one of them can be selected.

There is no restriction on the type of statements that can beused as a guard.

if:: (a >= b ) -> Stmt1 ; Stmt2 ; :: (a < b ) -> Stmt3 ; Stmt4 ; :: (a == b ) -> Stmt5 ; Stmt6 ;

:: else -> Stmt7fi

if:: count = count + 1:: count = count 1fi


16/21

16

Promela-Statements

Do-statement

Same as if-statement, only in a while loop.

do:: (a >= b ) -> Stmt1 ; Stmt2 ; :: (a < b ) -> Stmt3 ; Stmt4 ;

:: (a == b ) -> Stmt5 ; Stmt6 ; :: else -> Stmt7od

do:: count = count + 1:: count = count 1:: (count == 0) -> breakod


17/21

Promela-Communication

Processes can communicate in two ways:

Global variables

Channels:

chan = [] of {, , ..,} Example: chan toR = [2] of {int, int}

Asynchronously : dimension > 0

Synchronously : dimension = 0

Actions: Sending : ch ! , ..,

Receiving: ch ? var_1,..,var_n

If send and receive can not happen, process will block.

17

toR!(1,5)

.toR?(x1,x2)


18/21

18

Promela-Statements

Special Statements: goto

skip: same as 1 or true,

run assert ()

check whether certain properties hold. Gives an error ifviolated.


19/21

19

Promela- Advanced Topics

Timeout Promela has no real-time features

The timeout statement can only be executed when no other statement inthe system can be executed

Can help get out of deadlock

The timeout models a special condition that allows a process to abort thewaiting for a condition that may never become true, e.g. an input from anempty channel.

Example:do:: guard1 -> Stmt1; :: timeout -> break ;od


20/21

20

Conclusion

Spin is suitable for concurrent systems

Can not model time

JSpin is easy to install and use via the graphicalinterface

Promela is similar to C, therefore easy to cope with.

Beware of state explosion

Need basic knowledge of LTL.


21/21

21

References

Spin official page

http://spinroot.com

Spin online tutorials

http://spinroot.com/spin/Man/index.html

Jspin

http://stwww.weizmann.ac.il/g-cs/benari/spin

Erigone http://stwww.weizmann.ac.il/g-cs/benari/erigone
http://spinroot.com/http://spinroot.com/spin/Man/index.htmlhttp://stwww.weizmann.ac.il/g-cs/benari/spinhttp://stwww.weizmann.ac.il/g-cs/benari/erigonehttp://stwww.weizmann.ac.il/g-cs/benari/erigonehttp://stwww.weizmann.ac.il/g-cs/benari/erigonehttp://stwww.weizmann.ac.il/g-cs/benari/erigonehttp://stwww.weizmann.ac.il/g-cs/benari/spinhttp://stwww.weizmann.ac.il/g-cs/benari/spinhttp://stwww.weizmann.ac.il/g-cs/benari/spinhttp://spinroot.com/spin/Man/index.htmlhttp://spinroot.com/

Spin Slides

Documents

Transcript of Spin Slides