a tutorial on model checker spin
play

A Tutorial on Model Checker SPIN Instructor: Hao Zheng Department - PowerPoint PPT Presentation

May 31, 2023 •810 likes •1.5k views

A Tutorial on Model Checker SPIN Instructor: Hao Zheng Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: haozheng@usf.edu Phone: (813)974-4757 Fax: (813)974-5456 1 Overview of Concurrent

  1. A Tutorial on Model Checker SPIN Instructor: Hao Zheng Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: haozheng@usf.edu Phone: (813)974-4757 Fax: (813)974-5456 1

  2. Overview of Concurrent Systems 2

  3. Shared Memory Model 3

  4. Distributed Memory Model 4

  5. SPIN & PROMELA • SPIN is an explicit model checker – State space represented as a directed graph – Can also perform random simulation • PROMELA is the modeling language for SPIN • A model is a set of sequential processes communicating over – Global variables for modeling shared memory structures – Channels for modeling distributed structures • PROMELA is NOT a programming language 5

  6. Download & Install SPIN • Go to http://spinroot.com/ 6

  7. Modeling Language Promela – Overview 7

  8. The “Hello World” Example /* hello.pml */ active proctype hello() { printf (“Hello world!\n”); } > spin hello.pml Hello world 8

  9. DEMO Hello World! /* A "Hello World" Promela model for SPIN. */ active proctype Hello() { printf("Hello process, my pid is: %d\n", _pid); } instantiate a copy of process Hello init { int lastpid; printf("init process, my pid is: %d\n", _pid); lastpid = run Hello(); printf("last pid was: %d\n", lastpid); } random seed $ spin -n2 hello.pr running SPIN in init process, my pid is: 1 random simulation mode last pid was: 2 Hello process, my pid is: 0 Hello process, my pid is: 2 3 processes created Thursday 11-Apr-2002 Theo C. Ruys - SPIN Beginners' Tutorial 19 9

  10. Promela Model Structure • Promela model consist of: mtype = {MSG, ACK}; – type declarations chan toS = ... chan toR = ... – channel declarations bool flag; – variable declarations proctype Sender() { – process declarations ... – [ init process] process body } • A Promela model corresponds proctype Receiver() { with a (usually very large, but) ... finite transition system, so } – no unbounded data init { – no unbounded channels ... } creates processes – no unbounded processes – no unbounded process creation 10

  11. Processes – 1 • A process type ( proctype ) consist of – a name – a list of formal parameters – local variable declarations – body formal parameters name proctype Sender(chan in; chan out) { bit sndB, rcvB; local variables do :: out ! MSG, sndB -> in ? ACK, rcvB; if body :: sndB == rcvB -> sndB = 1-sndB :: else -> skip fi The body consist of a od sequence of statements. } 11

  12. Processes – 2 • A process – is defined by a proctype definition – executes concurrently with all other processes, independent of speed of behaviour – communicate with other processes • using global (shared) variables • using channels • There may be several processes of the same type. • Each process has its own local state: – process counter (location within the proctype ) – contents of the local variables 12 � � � �

  13. A Simple Multi-Thread Program byte a; // global variable active proctype p1() { byte b = 0; // local variable a=1; b=a+b } active proctype p2() { a=2; } 13

  14. Processes – 3 � Process are created using proctype Foo(byte x) { the run statement (which ... returns the process id). } � Processes can be created at any point in the execution init { int pid2 = run Foo(2); (within any process). run Foo(27); � Processes start executing } number of procs. (opt.) after the run statement. � Processes can also be active[3] proctype Bar() { ... created by adding active } in front of the proctype parameters will be initialised to 0 declaration. 14

  15. Variables & Types – 1 Basic types • Five different (integer) [0..1] bit turn=1; [0..1] basic types. bool flag; [0..255] byte counter; [-2 16 -1.. 2 16 –1] • Arrays short s; [-2 32 -1.. 2 32 –1] int msg; • Records (structs) Arrays array • Type conflicts are detected indicing byte a[27]; start at 0 bit flags[4]; at runtime. Typedef (records) • Default initial value of basic typedef Record { variables (local and global) short f1; is 0. byte f2; variable } declaration Record rr; rr.f1 = .. 15

  16. Variables & Types – 2 int ii; • Variables should be bit bb; declared. assignment = bb=1; • Variables can be given a ii=2; value by: declaration + short s=-1; – assignment initialisation – argument passing typedef Foo { bit bb; – message passing int ii; (see communication) }; Foo f; • Variables can be used in f.bb = 0; expressions. f.ii = -2; equal test == Most arithmetic, relational, ii*s+27 == 23; and logical operators of printf(“value: %d”, s*s); C/Java are supported, including bitshift operators. 16

  17. Statements – Specifying Behavior 17

  18. Statements – 1 • The body of a process consists of a sequence of statements. A statement is either executable/blocked depends on the global – executable: the statement can state of the system. be executed immediately. – blocked: the statement cannot be executed. • An assignment is always executable. • An expression is also a statement; it is executable if it evaluates to non-zero. always executable 2 < 3 only executable if value of x is smaller 27 x < 27 executable if x is not equal to –3 3 + x 18

  19. Peterson’s Algorithm for Mutual Exclusion bool turn, flag[2]; byte cnt; active [2] proctype proc() { pid i,j; i = _pid; // acquire pid of the calling proc j = 1 - _pid; // pid of the other process again: flag[i]=true; turn=i; (flag[j]==false || turn !=i) -> cnt++; //enter critical section assert(cnt==1); //only one proc can be in critical section cnt - - ; //exit critical section goto again; } 19

  20. Statements – 2 • assert(<expr>); – The assert -statement is always executable. – If <expr> evaluates to zero, SPIN will exit with an error, as the <expr> “has been violated”. – The assert -statement is often used within Promela models, to check whether certain properties are valid in a state. proctype monitor() { assert(n <= 3); } proctype receiver() { ... toReceiver ? msg; assert(msg != ERROR); ... } 20

  21. Statement – goto goto goto label – transfers execution to label – each Promela statement might be labelled – quite useful in modelling communication protocols wait_ack: Timeout modelled by a channel. if :: B?ACK -> ab=1-ab ; goto success :: ChunkTimeout?SHAKE -> if :: (rc < MAX) -> rc++; F!(i==1),(i==n),ab,d[i]; goto wait_ack :: (rc >= MAX) -> goto error fi fi ; Part of model of BRP 21

  22. inspired by: if-statement (1) Dijkstra’s guarded command language if :: choice 1 -> stat 1.1 ; stat 1.2 ; stat 1.3 ; … :: choice 2 -> stat 2.1 ; stat 2.2 ; stat 2.3 ; … :: … :: choice n -> stat n.1 ; stat n.2 ; stat n.3 ; … fi; • If there is at least one choice i (guard) executable, the if - statement is executable and SPIN non-deterministically chooses one of the executable choices. • If no choice i is executable, the if -statement is blocked. • The operator “ -> ” is equivalent to “ ; ”. By convention, it is used within if -statements to separate the guards from the statements that follow the guards. Thursday 11-Apr-2002 Theo C. Ruys - SPIN Beginners' Tutorial 32 22

  23. if-statement (2) if � ���� else ������������� :: (n % 2 != 0) -> n=1 ���������� ������� ������� :: (n >= 0) -> n=n-2 :: (n % 3 == 0) -> n=3 ��������������������������� :: else -> skip fi give n a random value non-deterministic branching if :: skip -> n=0 :: skip -> n=1 :: skip -> n=2 :: skip -> n=3 fi skip s are redundant, because assignments are themselves always executable... Thursday 11-Apr-2002 Theo C. Ruys - SPIN Beginners' Tutorial 33 23

  24. IF-Statement if if :: a > b -> c++ :: a > b -> c++ :: else -> c=0 :: true -> c=0 fi fi • The else se branch is selected only when all other branches are not selected • The tr true branch is always selected • The above if statements are always executable 24

  25. � ���� ������������� ���������� ������� ������� ��������������������������� do-statement (1) do :: choice 1 -> stat 1.1 ; stat 1.2 ; stat 1.3 ; … :: choice 2 -> stat 2.1 ; stat 2.2 ; stat 2.3 ; … :: … :: choice n -> stat n.1 ; stat n.2 ; stat n.3 ; … od; • With respect to the choices, a do -statement behaves in the same way as an if -statement. • However, instead of ending the statement at the end of the choosen list of statements, a do -statement repeats the choice selection. • The (always executable) break statement exits a do -loop statement and transfers control to the end of the loop. Thursday 11-Apr-2002 Theo C. Ruys - SPIN Beginners' Tutorial 34 25

  26. Statement do-od enumeration type /* Traffic light controller */ mtype = {RED, GREEN YELLOW}; active proctype TrafficLight() { do :: (state == RED) -> state = GREEN; :: (state == GREEN) -> state = YELLOW; :: (state == YELLOW) -> state = RED; od } 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verification of a Dynamic Channel Model using the SPIN Model Checker Rune M. Friborg and Brian

Verification of a Dynamic Channel Model using the SPIN Model Checker Rune M. Friborg and Brian

Verification of a Dynamic Channel Model using the SPIN Model Checker Rune M. Friborg and Brian Vinter eScience center, University of Copenhagen Dias 1 Introduction to PyCSP 2007 - PyCSP is presented. The synchronization model for channel

574 views • 20 slides
Tutorial 2: Promela/Spin Running Spin General Usage and Tips CISC422/853 Advice for

Tutorial 2: Promela/Spin Running Spin General Usage and Tips CISC422/853 Advice for

Overview Installing Spin Starting Spin Tutorial 2: Promela/Spin Running Spin General Usage and Tips CISC422/853 Advice for Assignment 2 Scott Grant Installing Spin Installing jSpin Spin has a few distributions

256 views • 10 slides
The UPPAAL Model Checker The UPPAAL Model Checker Julin Proenza Systems, Robotics and Vision

The UPPAAL Model Checker The UPPAAL Model Checker Julin Proenza Systems, Robotics and Vision

The UPPAAL Model Checker The UPPAAL Model Checker Julin Proenza Systems, Robotics and Vision Group. UIB. SPAIN Julin Proenza. UIB. Oct 2008 The aim of this presentation Introduce the basic concepts of model checking from a practical

804 views • 68 slides
Lecture 3: Model-checker NuSMV B. Srivathsan Chennai Mathematical Institute NPTEL-course July -

Lecture 3: Model-checker NuSMV B. Srivathsan Chennai Mathematical Institute NPTEL-course July -

Lecture 3: Model-checker NuSMV B. Srivathsan Chennai Mathematical Institute NPTEL-course July - November 2015 1 / 31 Model-checker Specify the model of the system Specify the requirements Model-checker will automatically check if system

1.72k views • 112 slides
SPIN Beginners Tutorial Grenoble, France Thursday 11-Apr-2002 Theo C. Ruys University of

SPIN Beginners Tutorial Grenoble, France Thursday 11-Apr-2002 Theo C. Ruys University of

Theo C. Ruys - SPIN Beginners' Tutorial version: Friday, 13 September 2002 SPIN 2002 Workshop SPIN Beginners Tutorial Grenoble, France Thursday 11-Apr-2002 Theo C. Ruys University of Twente Formal Methods &amp; Tools group

540 views • 50 slides
Implementation of a Coalgebraic Model Checker Aaron Strahlberger 16.07.2019 Parity Game based

Implementation of a Coalgebraic Model Checker Aaron Strahlberger 16.07.2019 Parity Game based

Implementation of a Coalgebraic Model Checker Aaron Strahlberger 16.07.2019 Parity Game based Model Checker Game-Based Local Model Checking for the Coalgebraic -Calculus by Daniel Hausmann and Lutz Schrder [1] (CONCUR 2019)

474 views • 31 slides
Model Checking of Timed Systems A UPPAAL Tutorial Wang Yi Uppsala University, Sweden SFM 2010,

Model Checking of Timed Systems A UPPAAL Tutorial Wang Yi Uppsala University, Sweden SFM 2010,

This is simple, simple, simple Model Checking of Timed Systems A UPPAAL Tutorial Wang Yi Uppsala University, Sweden SFM 2010, Bertinoro LESLIE LAMPORT 1 2 UPPAAL A model checker for real-time systems Main Authors/Contributors of

449 views • 29 slides
A Model Checker Collection for the Model Checking Contest @ Petri Nets Didier Buchs Stefan

A Model Checker Collection for the Model Checking Contest @ Petri Nets Didier Buchs Stefan

A Model Checker Collection for the Model Checking Contest @ Petri Nets Didier Buchs Stefan Klikovits Alban Linard Romain Mencattini Dimitri Racordon 28 June 2018 1/11 1/11 Examination Result GreatSPN ITSTools LoLA LTSMin Marcie

613 views • 20 slides
VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking

VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking

VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking Model checking Automated formal verification for finite-state models Finite-state model System Result Model checker e.g. SMV, Spin Counter-

776 views • 58 slides
Schedulability Analysis of Timed CSP Models Using the PAT Model Checker O uzcan O UZ Jan

Schedulability Analysis of Timed CSP Models Using the PAT Model Checker O uzcan O UZ Jan

Schedulability Analysis of Timed CSP Models Using the PAT Model Checker O uzcan O UZ Jan F. BROENINK Angelika MADER Robotics and Mechatronics, University of Twente, The Netherlands Contents Problem Statement &amp; Approach

516 views • 24 slides
The Low-Level Bounded Model Checker LLBMC A Precise Memory Model for LLBMC Florian Merz | October

The Low-Level Bounded Model Checker LLBMC A Precise Memory Model for LLBMC Florian Merz | October

The Low-Level Bounded Model Checker LLBMC A Precise Memory Model for LLBMC Florian Merz | October 7, 2010 Carsten Sinz Stephan Falke V ERIFICATION MEETS A LGORITHM E NGINEERING www.kit.edu KIT University of the State of Baden-Wuerttemberg

415 views • 19 slides
Can a Model Checker Generate Tests for Non-Deterministic Systems? Sergiy Boroday, Alexandre

Can a Model Checker Generate Tests for Non-Deterministic Systems? Sergiy Boroday, Alexandre

Can a Model Checker Generate Tests for Non-Deterministic Systems? Sergiy Boroday, Alexandre Petrenko CRIM, Montreal, Canada Roland Groz INPG, France MBT 2007 Outline Motivation Weak and Strong Tests Test Generation Model

802 views • 22 slides
Automated Reasoning Model Checking with Spin (III) Alan Bundy Automated Reasoning Model

Automated Reasoning Model Checking with Spin (III) Alan Bundy Automated Reasoning Model

Automated Reasoning Model Checking with Spin (III) Alan Bundy Automated Reasoning Model Checking with Spin (III) Lecture 12, page 1 Outline of Verification Process Objective: form one big automata, which Spin can use for verification.

1.01k views • 25 slides
The Software Model Checker BLAST: Applications to Software Engineering Dirk Beyer, Thomas A.

The Software Model Checker BLAST: Applications to Software Engineering Dirk Beyer, Thomas A.

The Software Model Checker BLAST: Applications to Software Engineering Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Int. Journal on Software Tools for Technology Transfer, 2007 Stefan Buchholz March 17, 2009 1 Model

456 views • 12 slides
Towards a model-checker for counter systems S. Demri 1 A. Finkel 1 V. Goranko 2 G. van Drimmelen 2

Towards a model-checker for counter systems S. Demri 1 A. Finkel 1 V. Goranko 2 G. van Drimmelen 2

Towards a model-checker for counter systems S. Demri 1 A. Finkel 1 V. Goranko 2 G. van Drimmelen 2 1 LSV, CNRS &amp; ENS Cachan &amp; INRIA Futurs 2 University of Witwatersrand, Johannesburg ATVA, October 2006, Beijing Motivations Presburger

679 views • 37 slides
Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker Types Transform Check safety and

681 views • 67 slides
Concurrency and Parallelism in ML John Reppy University of Chicago MacQueen Fest May 12,

Concurrency and Parallelism in ML John Reppy University of Chicago MacQueen Fest May 12,

Concurrency and Parallelism in ML John Reppy University of Chicago MacQueen Fest May 12, 2012 History Personal history I ML on Unix (Cardelli ML) I ML + Amber = Pegasus ML I Standard ML of New Jersey (Version 0.15 on tape) I Pegasus ML

289 views • 17 slides
Che-Lin Su The University of Chicago Booth School of Business joint work with Michael Egesdal

Che-Lin Su The University of Chicago Booth School of Business joint work with Michael Egesdal

Estimating Dynamic Discrete-Choice Games of Incomplete Information Che-Lin Su The University of Chicago Booth School of Business joint work with Michael Egesdal and Zhenyu Lai (Harvard University) 2014 Workshop on Optimization for Modern

1.16k views • 60 slides
Quiz Next Thursday, Sept 6 Will focus on terminology and notation (mostly multiple choice)

Quiz Next Thursday, Sept 6 Will focus on terminology and notation (mostly multiple choice)

Quiz Next Thursday, Sept 6 Will focus on terminology and notation (mostly multiple choice) Might include something from the reading for that day (PML Ch 2) Let me know ahead of time if you cant make it Excused quizzes will be

1.02k views • 53 slides
Requirements for Rules Interoperability Ed Barkmeyer, Ravi Raman, Evan Wallace Manufacturing

Requirements for Rules Interoperability Ed Barkmeyer, Ravi Raman, Evan Wallace Manufacturing

Requirements for Rules Interoperability Ed Barkmeyer, Ravi Raman, Evan Wallace Manufacturing Engineering Laboratory NIST NIST Presentation - W3C Rules Workshop 1 General Architecture Multiple ontology and rules languages Reference

114 views • 9 slides
A Practical Framework for Curry-Style Languages (Inspired by realizability semantics) Rodolphe

A Practical Framework for Curry-Style Languages (Inspired by realizability semantics) Rodolphe

A Practical Framework for Curry-Style Languages (Inspired by realizability semantics) Rodolphe Lepigre 1/18 Context: using realizability for programming languages Last years talk was about the PML language: A simple but powerful

496 views • 18 slides
MWUA 2014 Bound Structure Limits in Force of 6,993,441,138 as of 10/31/13 $970M 70M xs 900M Agg

MWUA 2014 Bound Structure Limits in Force of 6,993,441,138 as of 10/31/13 $970M 70M xs 900M Agg

MWUA 2014 Bound Structure Limits in Force of 6,993,441,138 as of 10/31/13 $970M 70M xs 900M Agg $900M 150M xs 750M Agg (RPP Purchased) $750M 200M xs 550M Agg (RPP Purchased) 100 Year $650m avg PML (AIR/RMS) $550M 200M xs 350M Agg (RPP

279 views • 6 slides
Lecture 1: Introduction to CS 3220 David Bindel 24 Jan 2011 Plan for today What is

Lecture 1: Introduction to CS 3220 David Bindel 24 Jan 2011 Plan for today What is

Lecture 1: Introduction to CS 3220 David Bindel 24 Jan 2011 Plan for today What is scientific computing about? What is this class about? Workload and prerequisites Logistics and course policies The Big Computational Science &amp;

510 views • 37 slides
rs P r rs

rs P r rs

rs P r rs s rt P rts rt t rs

671 views • 22 slides

More recommend