The SPIN Model Checker

Frederico Araujo

CS6362 – Fall 2010

The SPIN Model Checker

Outline

2

What is model checking?Why model checking?SPIN

Basic ConceptsPromela

Promela ModelCorrectness Claims

JSpinCase Studies

What is model checking?

3

“Model checking is an automated technique that, given a finite-state model of a system and a logical property, systematically checks whether this property holds for (a given initial state in) that model.”

Clarke & Emerson 1981

Model Checker

A (S, S0,L,T,F)

Requirement

Yes or No plus a system run violating the requirement

What is model checking?

4

(Initial) Design

Abstract Verification

Model

Implementation

Model Checker

abstraction

refinement

Verification Model Abstraction of a design

simplification Express assumptions about the

environment and correctness properties

Why model checking?

5

It serves to prove that the design principles are soundCan predict wheter a model is valid or not

before its implementationNot expected to be part of the final

implementation of a systemIt anticipates design defects discovery

Potential to reduce costs related to rework and risks of failures in mission-critical systems

SPIN Introduction

6

SPIN (Simple Promela Interpreter) is a popular open-source model checker that can be used for the formal verification of asynchronous and distributed software systems.

Developed at Bell Labs, starting in 1980.Free, since 1991All Spin software is written in ANSI standard C,

and is portable across multiple platformsSPIN homepage is www.spinroot.com2002 ACM software system award for 2001

SPIN Introduction

7

Common flaws that occur in design of distributed software systems:DeadlockLivelock, starvationUnderspecificationOverspecification

SPIN Basic Concepts

8

Spin can be used in 2 basic modes :as a simulator to get a quick impression of

the behavior captured by the system model:guided simulationrandom and interactive simulation

as a verifier: when a counterexample is generated, it uses simulation to step through the trace

SPIN Basic Concepts

9

SPIN verification: prove correctness of process interactions

Processes refer to system components that communicate with each other

Communication rendezvous primitives (synchronous)buffered channels (asynchronous )shared variables

SPIN Basic Concepts

10

SPIN provides:An intuitive, C-like notation (Promela) for

specifying the finite-state abstraction of a system unambiguously

A notation for expressing general correctness requirements as LTL (Linear Temporal Logic) formulae

Promela Introduction

11

PROMELA (Process Meta-language), served as input to SPIN

Non-deterministic , guarded command language for specifying the system behavior of a distributed system

Systems of interacting, asynchronous threads of execution

It brings ideas from:CSP process algebra by Hoare for input/outputC language in some of the syntax and notational

conventionsa non-deterministic guarded command language

Promela Introduction

12

The properties define the

real objectif of a

verification

Behavior specicification (what is possible)• process behavior• variables, data types• message channelsLogical correctness properties (what is valid)• assertions• end-state, progress-state, and acceptance state labels• never claims (LTL formulae)• trace assertions• default properties:• absence of system deadlock• absence of unreachable code

Promela Model

13

Consists ofProcessData objectsMessage channels

Corresponds to a FSMEvery object is bounded

Process 255*

Message channels 255*

Data data type dependent* For current versions of SPIN

mytype = {MSG, ACK};chan toS=…chan toR=…bool flag;active proctype Sender(){…process body…}active proctype Receiver(){…process body…}

Promela Processes

14

Basic structureproctype Sender(chan in; chan out){

... process body ...}

Process creationinit and active

proctype You_run(){

... process body ...}init {

run You_run();}

active proctype You_run(){ ... process body ...}active [2] proctype You_run_b(){ ... process body ...}

Promela Processes

15

There can be more than one process inside a Promela model

A process executes concurrently with other processes.

A process also communicates with other processes by sending/receiving messages across channels by using shared (global) variables with other processes

Local state of a process is defined by process counter (defines the location of the process) and the values of the local variables of the process.

Promela Data Objects

16

Variables can be local or globalDefault initial value of both local and global

variables is 0Variables can be assigned a value by an

assignment, argument passing or message passing

Variables can be used in expressions which includes most arithmetic, relational and logical operators of C

Promela Basic Types

17

Basic Types

Array DeclarationArray Access

Records type definition

Record declarationRecord Access

Enumeration type for messagesFrom Verification Techniques lecture notes, Uppsala Universitet, Sweden

Promela Expressions

18

Operators

Conditional expressions

Operations on channels identifiers

From Verification Techniques lecture notes, Uppsala Universitet, Sweden

Promela Message Channels

19

Communication between processes through channels

FIFODeclared as arraysThere can be two types of communications:

Message-passing or asynchronousRendezvous or synchronous (channel of

dimension 0)

Promela Message Channels

20

Declarationchan qname = [16] of {short, byte, bool}

Sending messageqname!expr1, expr2, expr3

Receiving messageqname?var1, var2, var3constrained qname?cons1,var2,var3

To test if a send receive can be executable without side effectqname?[var1, var2, var3]

Promela Message Channels

21

Asynchronous communicationmtype = { msg0, msg1, ack0, ack1 };chan to_sndr = [2] of { mtype };chan to_rcvr = [2] of { mtype };active proctype Sender(){again: to_rcvr!msg1;

to_sndr?ack1;to_rcvr!msg0;to_sndr?ack0;goto again

}active proctype Receiver(){again: to_rcvr?msg1;

to_sndr!ack1;to_rcvr?msg0;to_sndr!ack0;goto again

}

Promela Message Channels

22

Synchronous communication (rendezvous)mtype = { msgtype };chan name = [0] of { mtype, byte };active proctype A(){

name!msgtype(124);name!msgtype(121)

}active proctype B(){

byte state;name?msgtype(state)

}

Promela Message Channels

23

Synchronous communication (rendezvous)mtype = { msgtype };chan glob = [0] of { chan };active proctype A(){

chan loc = [0] of { mtype, byte };glob!loc;

loc?msgtype(121)}active proctype B(){

chan who;glob?who;who!msgtype(121)

}

Promela Statements

24

Statements are separated by a semi-colonAssignments and expressions are statementsskip statement: does nothing, only changes the

process counterprintf statement: not evaluated during verificationassert(expr): Assert statement is used to check if

the property specified by the expression expr is valid within a state. If expr evaluates to 0, it implies that it is not valid and SPIN will exit with an error.

Promela Statements

25

if statementif:: choice1 -> stat1.1; stat1.2;:: choice2 -> stat2.1; stat2.2;:: …:: choicen -> statn.1; statn.2;fi;

if statement is executable if there is at least one choice which is executable and is blocked if none of the choices are executable

If more than one choice is executable, SPIN non-deterministically chooses one of the executable choices

Promela Statements

26

do statementdo:: choice1 -> stat1.1; stat1.2;:: choice2 -> stat2.1; stat2.2;:: …:: choicen -> statn.1; statn.2;od;

do statement behaves in the same way as if statement in terms of choice selection but, executes the choice selection repeatedly

break statement can be used to come out of a do loop transferring control to the statement just outside the loop

Promela Atomic operator

27

A process whose control is inside

atomic{ }

executes without being interrupted by other processes

From Verification Techniques lecture notes, Uppsala Universitet, Sweden

Promela Correcteness Claims

28

Basic assertions (checked during simulation run)

End-state labelsProgress-state labelsAccept-state labels checked during

verification runNever claimsTrace assertions

Promela Correcteness Claims

29

safety property“nothing bad ever happens”

invariantx is always less than 5

deadlock freedomthe system never reaches a state

where no actions are possibleSPIN

find a trace leading to the “bad” thing. If there is not such a trace, the property is satisfied.

liveness property

“something good will eventually happen”

terminationthe system will eventually

terminate response

if action X occurs then eventually action Y will occur

SPINfind a (infinite) loop in which the “good” thing does not happen. If there is not such a loop, the property is satisfied.

Promela Correcteness Claims

30

Correctness properties can be expressed:as properties of reachable states (generic safety properties)as properties of sequences of states (generic liveness properties)

In Promela:

properties of states

assertionslocal process assertionssystem invariants

end-state labelsto define proper termination

points of processesaccept-state labels

when looking for acceptance cyclesprogress-state labels

when looking for non-progress cyclesnever claims (optionally derived from LTL formulae)trace assertions

properties ofsequencesof states

Promela Correcteness Claims

31

Assertionbyte state = 1;active proctype A(){

(state == 1) -> state++;assert(state== 2)

}active proctype B(){

(state == 1) -> state--;assert(state== 0)

}

pan: assertion violated (state==2) (at depth 6)pan: wrote assertion-example.pml.trail(Spin Version 4.3.0 -- 22 June 2007)Warning: Search not completed

+ Partial Order ReductionFull statespace search for:

never claim - (none specified)assertion violations +cycle checks - (disabled by -

DSAFETY)invalid end states - (disabled by -E

flag)State-vector 16 byte, depth reached 6, ••• errors: 1 ••• 10 states, stored 0 states, matched 10 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)

Promela Correcteness Claims

32

Assertionbyte state = 1;active proctype A(){

(state == 1) -> state++;assert(state== 2)

}active proctype B(){

(state == 1) -> state--;assert(state== 0)

}

pan: assertion violated (state==2) (at depth 6)pan: wrote assertion-example.pml.trail(Spin Version 4.3.0 -- 22 June 2007)Warning: Search not completed

+ Partial Order ReductionFull statespace search for:

never claim - (none specified)assertion violations +cycle checks - (disabled by -

DSAFETY)invalid end states - (disabled by -E

flag)State-vector 16 byte, depth reached 6, ••• errors: 1 ••• 10 states, stored 0 states, matched 10 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)

What is the problem with this

model?

Promela Correcteness Claims

33

Assertionbyte state = 1;active proctype A(){atomic {(state == 1) -> state++; } assert(state== 2)}active proctype B(){atomic{(state == 1) -> state--;} assert(state== 0)}

(Spin Version 4.3.0 -- 22 June 2007)+ Partial Order Reduction

Full statespace search for:never claim - (none specified)assertion violations +cycle checks - (disabled by -

DSAFETY)invalid end states - (disabled by -E

flag)State-vector 16 byte, depth reached 3, ••• errors: 0 ••• 6 states, stored 0 states, matched 6 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)unreached in proctype A

(0 of 5 states)unreached in proctype B

(0 of 5 states)

Promela Correcteness Claims

34

End-statemtype= { p, v };chan sem= [0] of { mtype};byte count;active proctype semaphore(){end: do :: sem!p-> sem?v od}active [5] proctype user(){end: do :: sem?p; count++; /* critical section */ count--; sem!v od}

(Spin Version 4.3.0 -- 22 June 2007)+ Partial Order Reduction

Full statespace search for:never claim - (none specified)assertion violations +cycle checks - (disabled by -

DSAFETY)invalid end states +

State-vector 36 byte, depth reached 5, ••• errors: 0 ••• 16 states, stored 5 states, matched 21 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)unreached in proctype semaphore

line 9, state 6, "-end-"(1 of 6 states)

unreached in proctype userline 19, state 8, "-end-"(1 of 8 states)

Promela Correcteness Claims

35

Progress-statemtype= { p, v };chan sem= [0] of { mtype};byte count;active proctype semaphore(){end: do :: sem!p-> progress: sem?v od}active [5] proctype user(){end: do :: sem?p; count++; /* critical section */ count--; sem!v od}

(Spin Version 4.3.0 -- 22 June 2007)+ Partial Order Reduction

Full statespace search for:never claim +assertion violations + (if within scope

of claim)non-progress cycles +

(fairness disabled)invalid end states - (disabled by

never claim)State-vector 44 byte, depth reached 9, ••• errors: 0 ••• 21 states, stored 5 states, matched 26 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)unreached in proctype semaphore

line 10, state 6, "-end-"(1 of 6 states)

unreached in proctype userline 20, state 8, "-end-"(1 of 8 states)

Non-progress verification

Promela Correcteness Claims

36

SPIN’s automata for semaphore problemEnd: End:

Progress:

Promela Correcteness Claims

37

Fairness finite progress assumptionwhen a process can make progress, it eventually will

1. weak fairness:if a statement is executable infinitely long, it will eventually be executed

2. strong fairness:if a statement is executable infinitely often, it will eventually be executed

fairness can be applied tonon-deterministic statement selection within a processnon-deterministic statement selection between processes

Promela Correcteness Claims

38

Accept-statemtype= { p, v };chan sem= [0] of { mtype};byte count;active proctype semaphore(){do:: sem!p-> sem?vod}active [5] proctype user(){do:: sem?p->accept: count++;/* critical section */count--;sem!vod}

pan: acceptance cycle (at depth 0)pan: wrote _accept-example.pml.trail(Spin Version 4.3.0 -- 22 June 2007)Warning: Search not completed

+ Partial Order ReductionFull statespace search for:

never claim - (none specified)assertion violations +acceptance cycles + (fairness

disabled)invalid end states +

State-vector 40 byte, depth reached 5, ••• errors: 1 ••• 4 states, stored 0 states, matched 4 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)

Acceptance verification

Promela Correcteness Claims

39

SPIN’s counterexample for acceptance example

Implicit meaning: there should not exist any executions that can pass through an accept-state infinitely often

Promela Correcteness Claims

40

Linear Temporal Logic (LTL) and Buchi Automata never { /* <>(p&&[]!q) */

T0_init:if:: (! ((q)) && (p)) -> goto accept_S4:: (1) -> goto T0_initfi;

accept_S4:if:: (! ((q))) -> goto accept_S4fi;

}

Temporal logic operators:

eventually always

From Verification Techniques lecture notes, Uppsala Universitet, Sweden

Promela Correcteness Claims

41

Never claimNeeded capability for

defining more precise checks

Implicit meaning: specifies finite or infinite behavior that should never occur

Note: p and q need to be defined as macros: #define p (x>10)#define q (x<100)

never { /* <>(p&&[]!q) */T0_init:

if:: (! ((q)) && (p)) -> goto accept_S4:: (1) -> goto T0_initfi;

accept_S4:if:: (! ((q))) -> goto accept_S4fi;

}

JSpin

42

It is a java based GUI for SPIN model checker

Adapted from Theo C. Ruys - SPIN Beginners' Tutorial

JSpin

Case Studies

43

peterson’s mutual exclusion algorithmpaper: Towards a Methodology for Formal

Design and Analysis of Agent Interaction Protocols

References

44

Gerard J. Holzmann.The SPIN model checker: primer and reference guide, Addison-Wesley, September 2003

G. Holzmann, The Model Checker Spin ,IEEE Trans. on Software Engineering, Vol. 23, No. 5, May 1997, pp. 279-295

SPIN page: http://spinroot.comTheo C. Ruys. SPIN Beginners’ Tutorial, SPIN Workshop

2002, Grenoble, France, 2002Wei Jun, Cheung Shing-Chi, Wang Xul. Towards a

Methodology for Formal Design and Analysis of Agent Interaction Protocols - An Investigation in Electronic Commerce, Wuhan University Journal of Natural Sciences Vol. 6 No. 1-2, 2001

45

Questions?