Spin Model Checker

Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011

Common Design Flaws

Deadlock Livelock, Starvation Under-specification Over-specification Violation of Constraints Etc. Most of the errors caused by these flaws can be detected by model checking.
2

Model Checking and Spin

Model Checking:

Is an automated technique that, given a finite model of a system and a logical property, systematically checks whether this property holds for that model.
Aims towards concurrent systems Only checks functional properties Does not model real-time, but is capable of modeling timeouts.
Design Abstract Verification Model
abstraction

Spin is a well known classical model checker.

Implementation

refinement

Model Checker

Material which needs to be covered

Spin Architecture

We wont cover
How to install How to use it Basic building blocks

JSpin

Promela

jSpin

Install

Create a directory for mingw, and install mingw in that directory. Create separate directory for Jspin. Download executable for Jspin in directory, and run executable.
-javaw jar jSpin.jar (with optional Promela file).

Running jSpin

Demo jspin

jSpin

Check

Runs a syntax check.

Runs a random simulation. Runs an interactive simulation. Runs a guided simulation using the trail file created by the execution of the analyzer.

Random

Interactive

Guided

Verification with jSpin

With LTL formulas:

formula must be converted to an automaton written as a Promela never claim. Remember to do Translate. Translated LTL formula's will be saved in a *.ltl file. Original LTL formulas can be saved in*.prp.

Verification with jSpin

Without LTL formulas:

Safety Properties

Using assertions Testing for acceptance cycles is generally testing for the absence of unwanted infinite behavior. Acceptance cycle is a cycle that infinitely often visits an acceptance state. Progress is the guarantee of wanted infinite behavior. Non-progress cycle is a cycle that does not visit a progress state infinitely often.

Acceptance cycles:

Non-Progress cycles:

Promela

Promela consists of: Processes

Describes the behavior of the system.

Channels

Define the environment in which the processes run.

Define the environment in which the processes run. The scope of a variable is global if it is declared outside all process declarations, and local if it is declared within a process declaration.

Variables

Promela

Statements in Promela:

Are all conditional: A statement will only be executed if the condition of its execution is satisfied. Hence:
Statement is either Executable or Blocked. Example: (a == b) is similar to While(a != b) { // Skip }

Promela cant have unbounded

Data, Channels, Processes, Process Creation.

10

Promela-variables

Basic Types:

Bit Bool Byte Short Int

Byte test[9] Typedef test {int test1, byte test2}
11

Arrays

Record

Promela-variables

Message type mtype

mtype {int, byte}

chan toR = [6] of {mtype, bit}

Channels

Global Variables

Variables can be given values by: assignment, argument passing and message passing.
12

Promela-processes

Processes
proctype P() { }
OR Init{ Int pid2 = run P(); }

name execution number byte state; active [2] proctype P() { (state == 1) -> state = 3 }

Can be created by run or active. Can be created at any point. Processes can interact via channels or global variables. The run statement can pass parameter values of all basic data types to the new process.
13

Promela- Advanced Topics

atomic:

Statements in atomic are executed as one indivisible unit, noninterleaved with any other processes.
proctype P() { atomic { (state==1) -> state = state+1 } }

d_step:

Similar to atomic Does not save intermediate states Can not contain non-determinism or blocking statements
14

Promela-Statements

If-statement:

if :: (a >= b ) -> Stmt1 ; Stmt2 ; :: (a < b ) -> Stmt3 ; Stmt4 ; :: (a == b ) -> Stmt5 ; Stmt6 ; :: else -> Stmt7 fi

if :: count = count + 1 :: count = count 1 fi

If more than one guard is satisfied, we have nondeterminism. If all guards are un-executable the process will block until at least one of them can be selected. There is no restriction on the type of statements that can be used as a guard.
15

Promela-Statements

Do-statement

do :: (a >= b ) -> Stmt1 ; Stmt2 ; :: (a < b ) -> Stmt3 ; Stmt4 ; :: (a == b ) -> Stmt5 ; Stmt6 ; :: else -> Stmt7 od

do :: count = count + 1 :: count = count 1 :: (count == 0) -> break od

Same as if-statement, only in a while loop.

16

Promela-Communication

Processes can communicate in two ways:

Global variables Channels:

chan <name> = [<dim>] of {<type1>, <type2>, ..,<typen>}

Example: chan toR = [2] of {int, int}

toR!(1,5) . toR?(x1,x2)

Asynchronously : dimension > 0 Synchronously : dimension = 0 Actions:

Sending : ch ! <expr_1>, ..,<expr_n> Receiving: ch ? var_1,..,var_n

If send and receive can not happen, process will block.

17

Promela-Statements

Special Statements:

goto skip: same as 1 or true, run assert (<expr>)

check whether certain properties hold. Gives an error if violated.

18

Promela- Advanced Topics

Timeout

Promela has no real-time features The timeout statement can only be executed when no other statement in the system can be executed Can help get out of deadlock The timeout models a special condition that allows a process to abort the waiting for a condition that may never become true, e.g. an input from an empty channel. Example: do
:: guard1 -> Stmt1; :: timeout -> break ; od

19

Conclusion

Spin is suitable for concurrent systems Can not model time JSpin is easy to install and use via the graphical interface Promela is similar to C, therefore easy to cope with. Beware of state explosion Need basic knowledge of LTL.

20

References

Spin official page

http://spinroot.com
http://spinroot.com/spin/Man/index.html http://stwww.weizmann.ac.il/g-cs/benari/spin http://stwww.weizmann.ac.il/g-cs/benari/erigone

Spin online tutorials

Jspin

Erigone

21