Automated Reasoning Model Checking with Spin (III) Alan Bundy - - PowerPoint PPT Presentation
Automated Reasoning Model Checking with Spin (III) Alan Bundy Automated Reasoning Model Checking with Spin (III) Lecture 12, page 1 Outline of Verification Process Objective: form one big automata, which Spin can use for verification.
Automated Reasoning Lecture 12, page 1 Model Checking with Spin (III)
Automated Reasoning Lecture 12, page 2 Model Checking with Spin (III)
– which Spin can use for verification.
– via asynchronous products.
– via automata expansions.
– via synchronous products.
Automated Reasoning Lecture 12, page 3 Model Checking with Spin (III)
understood from the automaton it describes.
– no local variables, – no atomic{...} statements, and – no run ... operators (as mentioned earlier)
(see Promela manual for complete semantics)
Automated Reasoning Lecture 12, page 4 Model Checking with Spin (III)
– Each location in the code becomes a state in the automaton;
recall that a location can have one or more labels (e.g. init: )
– First location becomes the initial state – Control-flow statements describe the transitions from the current
state, and
– Basic statements label the transitions
Automated Reasoning Lecture 12, page 5 Model Checking with Spin (III)
– Expressions: x+5, !(x>3 && b==true) – Assignments: x=x+1 – Assertions: assert(x>0) – Print statements: printf(...), printm(...)
Automated Reasoning Lecture 12, page 6 Model Checking with Spin (III)
active proctype Counter(){
bool b=false; int x=0; do ::x<N -> { x=x+1; y=y+x } ::(b && x==N) -> break ::(!b && x==N) -> { x=0; b=true }
assert(y==N*(N+1)) }
depicted below.
Counter
x<N !b&&x==N b&&x==N x=x+1 y=y+x x=0 b=true assert(y==N *(N+1)
Automated Reasoning Lecture 12, page 7 Model Checking with Spin (III)
active proctype Security(){ int i=0; s_try: if ::i<N -> if ::true -> goto s_okay; ::true -> i=i+1 fi; ::i>=N -> goto s_fail fi; goto s_try; s_okay: run Authorise(); goto s_end; s_fail: printf("Failed."); s_end: skip }
Security
s_try
s_okay
i<N i>=N true i=i+1
s_fail
true
s_end
run Authorise
printf(“Failed”) skip
Automated Reasoning Lecture 12, page 8 Model Checking with Spin (III)
% spin -a -o3 Security #Build verifier for Security, -o3 = disable statement merging % cc -o pan pan.c #Compile verifier % ./pan -d #Display automata proctype Security state 10 -(tr 5)-> state 6 [id 0 tp 2] [----L] line 5 => ((i<10)) state 10 -(tr 7)-> state 15 [id 7 tp 2] [----L] line 5 => ((i>=10)) state 6 -(tr 1)-> state 13 [id 1 tp 2] [----L] line 7 => (1) state 6 -(tr 1)-> state 5 [id 3 tp 2] [----L] line 7 => (1) state 13 -(tr 8)-> state 16 [id 12 tp 2] [----G] line 16 => (run Auth...) state 16 -(tr 1)-> state 17 [id 15 tp 2] [----L] line 21 => (1) state 17 -(tr 10)-> state 0 [id 16 tp 3500] [--e-L] line 22 => -end- state 5 -(tr 6)-> state 10 [id 4 tp 2] [----L] line 9 => i = (i+1) state 15 -(tr 9)-> state 16 [id 14 tp 2] [----L] line 19 => printf('F..') proctype Authorise state 1 -(tr 3)-> state 2 [id 17 tp 2] [----L] line 25 => printf('A..') state 2 -(tr 4)-> state 0 [id 18 tp 3500] [--e-L] line 26 => -end- Transition Type: A=atomic; D=d_step; L=local; G=global Source-State Labels: p=progress; e=end; a=accept;
Use ./pan -d
Automated Reasoning Lecture 12, page 9 Model Checking with Spin (III)
dynamic process creation is allowed, i.e. no run operators.
depend upon the state of each A(Proci). During each transition some A(Proci) changes states (hence the state of the automaton for M changes). This is called interleaving concurrency.
product (aka interleaving product) of its component automata.
Automated Reasoning Lecture 12, page 10 Model Checking with Spin (III)
int x=0; active proctype ProcA() { do ::!(x%2) -> x=x/2
} active proctype ProcB() { do ::x<2 -> x=x+1
} a0 a1
!(x%2) x=x/2
b0 b1
x<2 x=x+1
a1,b1
!(x%2) x=x/2
a0,b0 a1,b0 a0,b1
x=x/2 !(x%2) x=x+1 x<2 x<2 x=x+1
A(ProcA) x A(ProcB) A(ProcB) A(ProcA)
Aut
Automated Reasoning Lecture 12, page 11 Model Checking with Spin (III)
∏Ai is (S,s0,L,T,F) where
– S=A1.S x A2.S x ... x An.S – s0=(A1.s0, A2.s0, ..., An.s0) – L=UAi.L – T={( (s1,s2,...,sn) , l , (t1,t2,...,tn) ) ∈ S x L x S |
∃i. (si,l,ti) ∈ Ai.T and ∀j≠i. sj= tj}
– F={(s1,s2,...,sn) | ∃i. si ∈ Ai.F}
viewed as the automaton A(M)= ∏A(Proci).
Automated Reasoning Lecture 12, page 12 Model Checking with Spin (III)
which assigns , for each variable x, a value in its domain. E.g. a valuation v over X={x:int,b:bool} such that v(x)=0 and v(b)=true.
sequence of the form where
–
si ∈ A(M).S, li ∈ A(M).L, and vi a valuation over X,
–
s0 = A(M).s0 and v0 is the initial valuation
–
(si,li,si+1) ∈ A(M).T,
–
exec(li, vi) = true,
–
vi+1 = effect(li, vi)
l0 l1
li li+1 ...
Automated Reasoning Lecture 12, page 13 Model Checking with Spin (III)
(where l is a basic statement and v a valuation)
– exec(e,v) = e(v)>0
effect(e,v) = v
– exec(x=e,v) = true
effect(x=e,v) = v[x:=e(v)]
– exec(l,v) = true
effect(l,v) = v (where l is an assertion or a print statement) See Promela manual for more complete descriptions
Automated Reasoning Lecture 12, page 14 Model Checking with Spin (III)
a0,b0 x=0 a0,b1 x=1 a0,b1 x=0 a0,b0 x=1
x<2 x=x+1 x<2
a0,b0 x=0 a1,b0 x=1 a0,b1 x=0 a0,b0 x=1
x<2 x=x+1 !(x%2)
a1,b1
!(x%2) x=x/2
a0,b0 a1,b0 a0,b1
x=x/2 !(x%2) x=x+1 x<2 x<2 x=x+1
!(x%2) is not executable here. exec(!(x%2),{x=1}) = false
Automated Reasoning Lecture 12, page 15 Model Checking with Spin (III)
automaton A(M).
variables in X) and the initial valuation v0, define an automaton Av0=(S,s0,L,T,F) where
–
S={(s,v) | v a valuation and s ∈ A.S}
–
s0=(A.s0,v0)
–
L=A.L
–
T={( (s,v) , l , (s',v') ) ∈ SxLxS |(s,l,s') ∈ A.T, exec(l,v) = true, v' = effect(l,v) }
–
F={(sf,v) ∈ S | sf ∈ A.F}
the restriction of Av0 to those states reachable from s0
– A run in M is simply a run in Exp(A(M),v0). – A Spin simulation of M is just a simulation of Exp(A(M),v0).
Automated Reasoning Lecture 12, page 16 Model Checking with Spin (III)
a1,b1
!(x%2) x=x/2
a0,b0 a1,b0 a0,b1
x=x/2 !(x%2) x=x+1 x<2 x<2 x=x+1
A(ProcA) x A(ProcB)
a0,b0
x=x/2
a0,b1 a1,b0 a1,b1 a0,b0 1 a0,b1 1 a1,b1 1 a1,b0 2
!(x%2) x<2 x=x+1 x<2 x=x/2
a1,b0 1
x=x+1 x<2
a0,b0 2
x<2 x=x+1 x=x+1 !(x%2) x=x/2
Exp(A(ProcA) x A(ProcB),{x=0})
Automated Reasoning Lecture 12, page 17 Model Checking with Spin (III)
but additionally:
– the accept labels are taken into account. States with accept labels
become accepting states, i.e. members of A(N).F
– If there is a terminating state (one without transitions), then add a
transition with label 'skip' from that state to itself, and make it an accepting state. In Promela, this is - in effect - as if we append the never claim code with: accept_end: skip; goto accept_end This captures the condition that “Never claims should never end”.
Automated Reasoning Lecture 12, page 18 Model Checking with Spin (III)
never { /* !([]x==0 || <>x==2) */ init0: if :: !(x==0) && !(x==2) -> goto accept :: !(x==2) -> goto init0 fi; accept: if :: !(x==2) -> goto accept fi; }
Never claim N for !([]x==0 || <>x==2) i=init0, a=accept e=end
AutNever never { /* <>P */ init0: if :: P -> goto end :: true -> goto init0 fi; end: skip }
Never claim N' for <>P i
!x==0&&!x==2 !x==2 !x==2
A(N) a
true skip
i
P
A(N') e
Automated Reasoning Lecture 12, page 19 Model Checking with Spin (III)
valuations of the global variables. It tells which sequences of valuations are bad.
accepts a sequence of valuations (v0,v1,v2,...) if there exists such that
–
si ∈ A.S, li ∈ A.L
–
s0=A.s0
–
(si, li, si+1) ∈ A.T
–
exec(li,vi) = true
–
sj ∈ A.F for infinitely many j (Büchi acceptance)
l0 l1
li li+1 ...
Automated Reasoning Lecture 12, page 20 Model Checking with Spin (III)
accepted by A(N): {x=0},{x=1},{x=0},{x=1},{x=0},{x=1},...
{x=0},{x=0},{x=0},{x=0},{x=0},{x=0},...
the never claim N if the valuation sequence in it is accepted by A(N). i
!x==0&&!x==2 !x==2 !x==2
A(N) a
Automated Reasoning Lecture 12, page 21 Model Checking with Spin (III)
into an 'equivalent' never claim. It is now possible to state this more precisely.
for an expression in Promela.
interpret a Promela expression at each point in the sequence, i.e. vi ╞ e ⇔ e(vi) > 0
For example, ({x=0},{x=1},{x=2},{x=1},{x=2},...)╞ □x≠0 ({x=0},{x=1},{x=0},{x=1},{x=0},...)╞ ¬(□x=0 ∨ x=2)
that ℒX(f) = ℒX(A(N)).
Automated Reasoning Lecture 12, page 22 Model Checking with Spin (III)
Automated Reasoning Lecture 12, page 23 Model Checking with Spin (III)
i a0,b0 i a0,b1 i a1,b0 i a1,b1 i a0,b0 1 i a0,b1 1 i a1,b1 1 i a1,b0 2 i a1,b0 1 i a0,b0 2 a a0,b0 a a0,b1 a a1,b0 a a1,b1 a a0,b0 1 a a0,b1 1 a a1,b1 1 a a1,b0 2 a a1,b0 1 a a0,b0 2
Product automaton A(N) ⊗ Exp(A(ProcA) x A(ProcB),{x=0})
Black edges: (!x==2, l) Red edges: ((!x=0 && !x==2),l) where l is a statement.
i
!x==0&&!x==2 !x==2 !x==2
A(N)
a
Automated Reasoning Lecture 12, page 24 Model Checking with Spin (III)
B ⊗ A = (S,s0,L,T,F) where
–
S = {(sB,sA,v) | sB ∈ B.S, (sA,v) ∈ A.S},
–
s0= (B.s0,s,v0) where A.s0 = (s,v0),
–
L= B.L x A.L,
–
T= {( (sB,sA,v) , (lB,lA) , (s'B,s'A,v') ) ∈ SxLxS | (sB,lB,s'B) ∈ B.T, ((sA,v),lA,(s'A,v')) ∈ A.T, exec(lB,v) = true }
–
F= {(sB,sA,v) ∈ S | sB ∈ B.F}
(where ℒX(A) = the valuation sequences in the runs in A, and
ℒX(B ⊗ A) = the valuation sequences in the accepting runs in B ⊗ A)
Automated Reasoning Lecture 12, page 25 Model Checking with Spin (III)
we need to find a cycle in the transition graph which goes through an accepting state and is reachable from the initial state
automaton
practice, very large and can be exponential in the size of the code. This is due to two factors:
– Interleaving of processes in the asynchronous product ∏A(Proci), – Exponential number of possible values of variables when expanding
automata
for bad cycles on-the-fly; constructs portions of the automaton only as needed.