Automated Reasoning Model Checking with Spin (III) Alan Bundy - PowerPoint PPT Presentation

Automated Reasoning Model Checking with Spin (III) Alan Bundy Automated Reasoning Model Checking with Spin (III) Lecture 12, page 1

Outline of Verification Process ● Objective: form one big automata, – which Spin can use for verification. ● Turn Promela code into automata. ● Combine multiple automata, – via asynchronous products. ● Incorporate variable valuations, – via automata expansions. ● Incorporate never claims, – via synchronous products. Automated Reasoning Model Checking with Spin (III) Lecture 12, page 2

Turn Promela into Automata 1 The meaning of a Promela model (i.e. how it executes) can be ● understood from the automaton it describes. Some simplifying assumptions: ● – no local variables, – no atomic{...} statements, and – no run ... operators (as mentioned earlier) (see Promela manual for complete semantics) Automated Reasoning Model Checking with Spin (III) Lecture 12, page 3

Turn Promela into Automata 2 Code for each proctype describes a finite state automaton ● So a Promela model can be seen as a collection of automata ● running concurrently and interactively We shall show by examples how to construct the automaton ● described by each proctype . Roughly, – Each location in the code becomes a state in the automaton; recall that a location can have one or more labels (e.g. init: ) – First location becomes the initial state – Control-flow statements describe the transitions from the current state, and – Basic statements label the transitions Automated Reasoning Model Checking with Spin (III) Lecture 12, page 4

Statements in Promela ● Two main types of statements in Promela: basic statements and control-flow statements ● So far we have seen the following control-flow statements: ';', if...fi, do...od, goto, break, atomic ● And the following basic statements: – Expressions: x+5, !(x>3 && b==true) – Assignments: x=x+1 – Assertions: assert(x>0) – Print statements: printf(...), printm(...) ● Some keywords are predefined in terms of others, e.g. true = skip = 1, false = 0 Automated Reasoning Model Checking with Spin (III) Lecture 12, page 5

Example 1: Promela to Automata The automaton A( Counter ) = (S,s 0 ,L,T,F) described by proctype Counter is ● depicted below. Notice that each (and only each) basic statement becomes a label. ● active proctype Counter(){ bool b=false; s 0 int x=0; y=y+x b=true do ::x<N -> { x<N !b&&x==N x=x+1; b&&x==N y=y+x } s 1 s 2 s 3 ::(b && x==N) -> break assert(y==N x=x+1 x=0 ::(!b && x==N) -> { *(N+1) x=0; s 4 s 5 s 6 b=true } od; assert(y==N*(N+1)) } Counter Automated Reasoning Model Checking with Spin (III) Lecture 12, page 6

Example 2: Promela to Automata active proctype Security(){ int i=0; i=i+1 s_try s_try: if ::i<N -> i>=N i<N if ::true -> goto s_okay; s 1 s_fail ::true -> i=i+1 fi; true true ::i>=N -> s 2 s_okay goto s_fail fi; run goto s_try; Authorise s_okay: s_end run Authorise(); printf(“Failed”) goto s_end; skip s_fail: s 3 printf("Failed."); s_end: skip } Security Automated Reasoning Model Checking with Spin (III) Lecture 12, page 7

Spin's Automata Generation The verifier that Spin builds can display the automaton for each proctype . ● Use . /pan -d % spin -a -o3 Security #Build verifier for Security, -o3 = disable statement merging % cc -o pan pan.c #Compile verifier % ./pan -d #Display automata proctype Security state 10 -(tr 5)-> state 6 [id 0 tp 2] [----L] line 5 => ((i<10)) state 10 -(tr 7)-> state 15 [id 7 tp 2] [----L] line 5 => ((i>=10)) state 6 -(tr 1)-> state 13 [id 1 tp 2] [----L] line 7 => (1) state 6 -(tr 1)-> state 5 [id 3 tp 2] [----L] line 7 => (1) state 13 -(tr 8)-> state 16 [id 12 tp 2] [----G] line 16 => (run Auth...) state 16 -(tr 1)-> state 17 [id 15 tp 2] [----L] line 21 => (1) state 17 -(tr 10)-> state 0 [id 16 tp 3500] [--e-L] line 22 => -end- state 5 -(tr 6)-> state 10 [id 4 tp 2] [----L] line 9 => i = (i+1) state 15 -(tr 9)-> state 16 [id 14 tp 2] [----L] line 19 => printf('F..') proctype Authorise state 1 -(tr 3)-> state 2 [id 17 tp 2] [----L] line 25 => printf('A..') state 2 -(tr 4)-> state 0 [id 18 tp 3500] [--e-L] line 26 => -end- Transition Type: A=atomic; D=d_step; L=local; G=global Source-State Labels: p=progress; e=end; a=accept; Automated Reasoning Model Checking with Spin (III) Lecture 12, page 8

Combining Automata 1 Given a Promela model M consisting of proctype Proc 1 ,..., Proc n . ● To simplify matters, assume that all these proctypes are active and no ● dynamic process creation is allowed, i.e. no run operators. M can be seen as describing another automaton A(M) whose states ● depend upon the state of each A( Proc i ). During each transition some A( Proc i ) changes states (hence the state of the automaton for M changes). This is called interleaving concurrency. We formalise such an automaton as the so-called asynchronous ● product (aka interleaving product) of its component automata. Automated Reasoning Model Checking with Spin (III) Lecture 12, page 9

Example: Combining Automata A( ProcA ) A( ProcB ) Promela model Aut: a 0 b 0 int x=0; x=x/2 x=x+1 active proctype ProcA() { do !(x%2) x<2 ::!(x%2) -> x=x/2 a 1 b 1 od } a 0 ,b 0 x=x+1 x=x/2 active proctype ProcB() { do ::x<2 -> x=x+1 !(x%2) od x<2 a 1 ,b 0 a 0 ,b 1 } Aut x=x+1 x=x/2 A( ProcA ) x A( ProcB ) a 1 ,b 1 x<2 !(x%2) Automated Reasoning Model Checking with Spin (III) Lecture 12, page 10

Asynchronous Product Given automata A 1 ,A 2 ,...,A n , the asynchronous product A 1 x A 2 x ... x A n = ● ∏A i is (S,s 0 ,L,T,F) where – S=A 1 .S x A 2 .S x ... x A n .S – s 0 =(A 1 .s 0 , A 2 .s 0 , ..., A n .s 0 ) – L= U A i .L – T={( (s 1 ,s 2 ,...,s n ) , l , (t 1 ,t 2 ,...,t n ) ) ∈ S x L x S | ∃ i. (s i ,l,t i ) ∈ A i .T and ∀ j≠i. s j = t j } – F={(s 1 ,s 2 ,...,s n ) | ∃ i. s i ∈ A i .F} Promela model M consisting of proctype Proc 1 ,..., Proc n can be ● viewed as the automaton A(M)= ∏A( Proc i ). Automated Reasoning Model Checking with Spin (III) Lecture 12, page 11

Incorporating Variable Valuations Let X be a set of variables in M. A valuation v over X is a function ● which assigns , for each variable x, a value in its domain. E.g. a valuation v over X={ x:int,b:bool } such that v( x )=0 and v( b )=true. A run (a trail or an execution) in M is a (finite or infinite) ● sequence of the form l 0 l 1 l i l i+1 ... (s 0 ,v 0 ) (s 1 ,v 1 ) ... (s i ,v i ) (s i+1 ,v i+1 ) where s i ∈ A(M).S, l i ∈ A(M).L, and v i a valuation over X, – s 0 = A(M).s 0 and v 0 is the initial valuation – (s i ,l i ,s i+1 ) ∈ A(M).T, – exec(l i , v i ) = true, – v i+1 = effect(l i , v i ) – Automated Reasoning Model Checking with Spin (III) Lecture 12, page 12

Valuation Terminology Predicate exec(l,v) is called executability condition . ● Function effect(l,v) is called effect function . ● (where l is a basic statement and v a valuation) If e is an expression and e(v) the value of e under v, ● – exec(e,v) = e(v)>0 effect(e,v) = v – exec( x= e,v) = true effect( x= e,v) = v[ x :=e(v)] – exec(l,v) = true effect(l,v) = v (where l is an assertion or a print statement) See Promela manual for more complete descriptions Automated Reasoning Model Checking with Spin (III) Lecture 12, page 13

Example: Model Runs For example, a run in model Aut is ● a 0 ,b 0 x=x+1 x=x/2 a 0 ,b 0 a 0 ,b 1 a 0 ,b 0 a 0 ,b 1 ... x<2 x=x+1 x<2 x=0 x=0 x=1 x=1 !(x%2) x<2 a 1 ,b 0 a 0 ,b 1 x=x+1 x=x/2 But the following is not ● a 0 ,b 0 a 0 ,b 1 a 0 ,b 0 a 1 ,b 0 ... x<2 x=x+1 !(x%2) a 1 ,b 1 x=0 x=0 x=1 x=1 x<2 !(x%2) !(x%2) is not executable here. exec( !(x%2) ,{ x =1}) = false Automated Reasoning Model Checking with Spin (III) Lecture 12, page 14

Automata Expansion Variable valuations can be incorporated using the expansion of the ● automaton A(M) . Given an automaton A (where each label is a basic statement using only ● variables in X) and the initial valuation v 0 , define an automaton A v 0 =(S,s 0 ,L,T,F) where S={(s,v) | v a valuation and s ∈ A.S} – s 0 =(A.s 0 ,v 0 ) – L=A.L – T={( (s,v) , l , (s',v') ) ∈ S x L x S |(s,l,s') ∈ A.T, exec(l,v) = true, – v' = effect(l,v) } F={(s f ,v) ∈ S | s f ∈ A.F} – The expansion of A with initial valuation v 0 , denoted Exp(A,v 0 ) , is ● the restriction of A v 0 to those states reachable from s 0 – A run in M is simply a run in Exp(A(M),v 0 ). – A Spin simulation of M is just a simulation of Exp(A(M),v 0 ). Automated Reasoning Model Checking with Spin (III) Lecture 12, page 15

Example: Automata Expansion Exp(A( ProcA ) x A( ProcB ),{ x =0}) A( ProcA ) x A( ProcB ) x=x/2 a 0 ,b 0 0 x<2 a 0 ,b 0 x=x+1 x=x/2 a 0 , b 1 a 1 ,b 0 0 0 !(x%2) x=x+1 !(x%2) x=x/2 x<2 a 0 ,b 0 a 1 ,b 1 a 1 ,b 0 x=x/2 a 0 ,b 1 x<2 1 0 x=x+1 x=x/2 a 1 ,b 0 x<2 a 0 , b 1 1 1 x=x+1 a 1 ,b 1 x=x+1 x<2 !(x%2) x<2 a 1 ,b 1 a 0 ,b 0 1 2 !(x%2) a 1 ,b 0 2 x=x+1 Automated Reasoning Model Checking with Spin (III) Lecture 12, page 16