1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

Carnegie Mellon University SPINFlavio Lerda

An explicit state model checker

Explict State Model Checker

• Represents the system as an finite state machine

• Visits each reachable state (state space) explicitly

• Checks some property– Property is satisfied– Counterexample

• DFS visit of the state space

procedure DFS(s)visited = visited {s};for each successor s’ of s

if s’ visited then DFS(s’);end if

end forend procedure

• How do we:– Represent the transition relation– Store the visited set

• Needs fast access (hash table)• State space explosion

– Check properties

Promela

• Process Algebra– An algebraic approach to the study of

concurrent processes. Its tools are algebraical languages for the specification of processes and the formulation of statements about them, together with calculi for the verification of these statements. [Van Glabbeek, 1987]

• Describes the system in a way similar to a programming language

Promela

• Asynchronous composition of independent processes

• Communication using channels and global variables

• Non-deterministic choices and interleavings

An Examplemtype = { NONCRITICAL, TRYING, CRITICAL };show mtype state[2];proctype process(int id) {beginning:noncritical:

state[id] = NONCRITICAL;if:: goto noncritical;:: true;fi;

trying:state[id] = TRYING;if:: goto trying;:: true;fi;

critical:state[id] = CRITICAL;if:: goto critical;:: true;fi;goto beginning;}

init { run process(0); run process(1); }

Enabled Statements

• A statement needs to be enabled for the process to be scheduled.

bool a, b;

proctype p1()

a = true;

a & b;

a = false;

proctype p2()

b = false;

a & b;

b = true;

init { a = false; b = false; run p1(); run p2(); }

Enabled Statements

bool a, b;

proctype p1()

a = true;

a & b;

a = false;

proctype p2()

b = false;

a & b;

b = true;

These statements are enabled only if both a and b are true.

Enabled Statements

bool a, b;

proctype p1()

a = true;

a & b;

a = false;

proctype p2()

b = false;

a & b;

b = true;

These statements are enabled only if both a and b are true.

In this case b is always false and therefore there is a deadlock.

Other constructs

• Do loopsdo

:: count = count + 1;

:: count = count - 1;

:: (count == 0) -> break

Other constructs

• Do loops

• Communication over channelsproctype sender(chan out)

int x;

::x=0;

::x=1;

out ! x;

Other constructs

• Do loops

• Communication over channels

• Assertionsproctype receiver(chan in)

int value;

out ? value;

assert(value == 0 || value == 1)

Other constructs

• Do loops

• Communication over channels

• Assertions

• Atomic Stepsint value;

proctype increment()

{ atomic {

x = value;

x = x + 1;

value = x;

On-The-Fly

• System is the asynchronous composition of processes

• The global transition relation is never build

• For each state the successor states are enumerated using the transition relation of each process

On-The-Fly0

0 11 0

On-The-Fly0

0 11 0

On-The-Fly0

0 11 0

On-The-Fly0

0 11 0

On-The-Fly0

0 11 0

On-The-Fly0

0 11 0

On-The-Fly0

0 11 0

On-The-Fly0

0 11 0

On-The-Fly0

0 11 0

Visited Set

• Represents all the states that have been reached so far

• Will eventually become the set of all reachable state (state space)

• Test of presence of a state in the set must be efficient– It is performed for each reached state

procedure DFS(s)visited = visited {s};for each successor s’ of s

if s’ visited then DFS(s’);end if

end forend procedure

Visited Set

• Hash table– Efficient for testing even if the number of

elements in it is very big (≥ 106)

Visited Set

• Reduce memory usage– Compress each state When a transition is executed only a

limited part of the state is modified

Visited Set

• Reduce memory usage– Compress each state

• Reduce the number of states– Partial Order Reduction

State Representation

• Global variables

• Processes and local variables

• Queues

Global Variables Processes Queues

Compression

• Each transition changes only a small part of the state

• Assign a code to each element dynamically

• Encoded states + basic elements use considerably less spaces than the uncompressed states

Compression

i=0 j=0P0x=0

0 0 1 0 0 2

Compression

i=0 j=0P0x=0

0 0 1 2

Hash Compaction

• Uses a hashing function to store each state using only 2 bits

Hash Compaction

• There is an non-zero probability that two states are mapped into the same bits

Hash Compaction

• If the number of states is quite smaller than the number of bits available there is a pretty good chance of not having conflicts

Hash Compaction

• If the number of states is quite smaller than the number of bits available there is a pretty good chance of not having conflicts

• The result is not (always) 100% correct!

Minimized Automata Reduction

• Turns the state in a sequence of integers

• Constructs an automata which accepts the states in the visited set

• Works like a BDD but on non-binary variables (MDD)

• Works like a BDD but on non-binary variables (MDD)– The variables are the components of the state

• Works like a BDD but on non-binary variables (MDD)– The variables are the components of the state– The automata is the minimal automata

• Works like a BDD but on non-binary variables (MDD)– The variables are the components of the state– The automata is the minimal automata– The automata is updated efficiently

Partial Order Reduction

• Some interleavings of processes are equivalent

x=0y=0

x=1y=0

x=0y=1

x=1y=1

x++y++

y++x++

x=1y=0

• Computing such interleavings and storing the intermediate states is expensive

• Partial order reduction defines a reduced system which is equivalent to the original system but contains less states and transitions

Defines an equivalent relation between states and computes the quotient of the state transition graph to obtain a reduced state transition graph.

Properties are true of the reduced state transition graph if and only if are true of the original graph.

• Optimal partial order reduction is as difficult as model checking!

• Compute an approximation based on syntactical information

• Compute an approximation based on syntactical information– Independent– Invisible– Check (at run-time) for actions postponed at

infinitum

Access to local variablesReceive on exclusive receive-access queues

Send on exclusive send-access queues

Not mentioned in the property

So called stack proviso

Properties

• Safety properties– Something bad never happens– Properties of states

• Liveness properties– Something good eventually happens– Properties of paths

Reachability is sufficient

We need something more complex to check liveness properties

LTL Model Checking

• Liveness properties are expressed in LTL– Subset of CTL* of the form:

• A f

where f is a path formula with does not contain any quantifiers

• The quantifier A is usually omitted.• G is substituted by (always or box)• F is substituted by (eventually or diamond)• X is substituted by (next)

LTL Formulae

• Always eventually p: p AGFp in CTL*

AG(pFq) in CTL*

• Fairness:

AG(p AFq) in CTL

AG AF p in CTL

(AGF p) in CTL*

Can’t express it in CTL

• Always after p there is eventually q: ( p ( q ) )

References• http://spinroot.com/ • Design and Validation of Computer Protocols by Gerard

Holzmann• The Spin Model Checker by Gerard Holzmann• An automata-theoretic approach to automatic program

verification, by Moshe Y. Vardi, and Pierre Wolper • An analysis of bitstate hashing, by G.J. Holzmann • An Improvement in Formal Verification, by G.J. Holzmann

and D. Peled • Simple on-the-fly automatic verification of linear temporal

logic, by Rob Gerth, Doron Peled, Moshe Vardi, and Pierre Wolper

• A Minimized automaton representation of reachable states, by A. Puri and G.J. Holzmann

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

goto noncritical

goto critical

true fi goto

true fi critical

goto tr

example mtype

interleavings slide

end procedure slide

Documents

Electronic Micrometer Mu-Checker Sensor Systems · 6...

Wave Checker

Myanmar Spell Checker

1 Carnegie Mellon UniversitySPINFlavio Lerda Bug...

Explicit Substitutions Calculi with Explicit Eta Rules -...

Der Barriere-Checker

Plagiarism Checker - shodhgangotri.inflibnet.ac.in ·...

Solibri Model Checker

VC-35 Vacuum Checker Vacuum interrupter tester DC Hipot .......

Memoire Aurelien Lerda PDF

Domain age checker

checker · 2016-09-12 · GMV marketing.TIC@gmv.es checker....

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke...

Tags Keyword Rank Checker page rank checker Keyword Rank...

1 Carnegie Mellon UniversitySPIN ExamplesFlavio Lerda Bug...

Explicit Dynamics Explicit Meshing