automated reasoning model checking with spin
play

Automated Reasoning Model Checking with SPIN Alan Bundy Automated - PowerPoint PPT Presentation

Mar 04, 2023 •155 likes •341 views

Automated Reasoning Model Checking with SPIN Alan Bundy Automated Reasoning SPIN Lecture 10, page 1 Model Checking in Practice System behaviour: what is possible in our model? We will use the language Promela to specify behaviour

  1. Automated Reasoning Model Checking with SPIN Alan Bundy Automated Reasoning SPIN Lecture 10, page 1

  2. Model Checking in Practice ● System behaviour: what is possible in our model? – We will use the language Promela to specify behaviour ● Pro cess Me ta La nguage ● Similar to C ● Property specification: what are we checking for? – We will use the system Spin to check properties ● S imple P romela In terpreter ● Command-line and graphical user interfaces (XSpin) – Spin takes Promela specifications for the model and for properties ● Can generate Promela property specifications from LTL ● Generates automata from Promela code ● Uses automata to check for language emptiness and intersection Automated Reasoning SPIN Lecture 10, page 2

  3. Processes in Promela ● Model checking is typically used for checking – temporal properties (such as LTL formulae) – correctness of dynamic systems ● So processes are central to Promela: active proctype HelloWorld () { /* process code block (this is a comment) */ printf(“hello world\n”); } ● Processes are execution threads (not functions!) – Within a process block, code runs in order – But different processes run in any order (interleaved) – Processes marked active are started at runtime; others can be started with the run command Automated Reasoning SPIN Lecture 10, page 3

  4. Example: Fred Shopping ● [N] means to start N instances active proctype BuyLemonade () { of a process printf(“Fred is buying lemonade.\n”); } Spin sets a unique process id – active proctype BuyMilkAndWater() { in _pid printf(“Fred is buying milk.\n”); ● Different processes run in any printf(“Fred is buying water.\n”); order } Fred buys food, then milk, active[3] proctype BuyFood() { – then food ... atomic { printf(“PROCESS %d\n”, _pid); ● Processes can interleave printf(“Fred is buying food.\n”); Fred buys lemonade and food – } } between milk and water. FredShopping Exception: atomic blocks – run as a unit atomic block runs without interleaving with other processes Automated Reasoning SPIN Lecture 10, page 4

  5. Example: Fred Shopping (cont) Using Spin to simulate model % spin FredShopping ● % spin <file> perform random simulation (so might PROCESS 2 produce different output each time) Fred is buying food. Fred is buying milk. ● % spin -i <file> PROCESS 4 perform interactive simulation Fred is buying food. Fred is buying lemonade. active proctype BuyLemonade () { Fred is buying water. printf(“Fred is buying lemonade.\n”); PROCESS 3 } Fred is buying food. active proctype BuyMilkAndWater() { printf(“Fred is buying milk.\n”); printf(“Fred is buying water.\n”); } ● Tabs indicate the different processes active[3] proctype BuyFood() { atomic { (to suppress use spin -T <file> ) printf(“PROCESS %d\n”, _pid); printf(“Fred is buying food.\n”); } } Automated Reasoning SPIN Lecture 10, page 5

  6. Promela Types and Variables Type Typical Range Sample Declaration -2 31 ...2 31 -1 int int y = 2; bool false..true bool bought_milk = true; mtype 1...255 mtype a_drink; Arrays and user datatypes are also supported ● mtype s let us declare symbolic constants for more readable code ● and output (as Promela does not have string variables) mtype = { milk, water, lemonade }; /* declaration */ mtype a_drink = milk ; /* set a variable */ printm( a_drink ); /* prints 'milk' */ Variables can be global or local to a process ● Automated Reasoning SPIN Lecture 10, page 6

  7. Promela's if Statement ● i f..fi construct can be used to control statement execution if :: guard -> statement; :: guard -> statement; fi; The guard is a boolean expression that determines which ● statement will be executed – If there is a choice, one is picked non-deterministically – If none are true, the process blocks (waits) until a guard becomes true (e.g. if another process changes a global variable) – The keyword else can be used as a guard that evaluates to true iff nothing else does (i.e. if the if would block) Automated Reasoning SPIN Lecture 10, page 7

  8. Example: Fred Buying Drinks mtype = { milk, lemonade, water }; bool bought_milk = false, Global variables declaration bought_lemonade = false, bought_water = false; int num_drinks = 0; inline defines a macro inline buy_item (a_drink, bought_a_drink) { (i.e. textual substitution) ( item ==a_drink) -> bought_a_drink = true; } perhaps_buy is not active , proctype perhaps_buy (mtype item ) { so needs to be instantiated using atomic { run command bool bought_something = true; if :: buy_item(milk, bought_milk); Local variables declaration :: buy_item(lemonade, bought_lemonade); :: buy_item(water, bought_water); :: true -> bought_something = false; Non-deterministic choices are fi; possible here if /* output what Fred bought, if anything */ :: bought_something -> printf("FRED BOUGHT "); :: else -> printf("FRED DID NOT BUY "); fi; printm(item);printf("\n"); num_drinks++; } } FredsDrinks Automated Reasoning SPIN Lecture 10, page 8

  9. Example: Fred Buying Drinks (II) Continuing the previous example, we define one active proctype which makes Fred perhaps_buy his various drinks. % spin -T FredsDrinks Several runs are shown. FRED DID NOT BUY water FRED BOUGHT lemonade active proctype buy_drinks() { FRED DID NOT BUY milk run perhaps_buy(milk); FRED HAS FINISHED BUYING THINGS run perhaps_buy(lemonade); run perhaps_buy(water); % spin -T FredsDrinks if FRED BOUGHT milk :: num_drinks==3 -> FRED BOUGHT lemonade printf("FRED HAS FINISHED BUYING THINGS.\n"); FRED DID NOT BUY water fi; FRED HAS FINISHED BUYING THINGS } FredsDrinks % spin -T FredsDrinks The if clause blocks until at least one FRED BOUGHT water condition becomes true; here, it waits FRED DID NOT BUY milk until num_drinks equals three. FRED DID NOT BUY lemonade FRED HAS FINISHED BUYING THINGS Automated Reasoning SPIN Lecture 10, page 9

  10. Asserting Correctness with Spin We have looked at system behaviour in Promela ● Now we look at checking desired properties with Spin ● One way is to assert that a property is true: ● assert(bought_milk); – assert is actually a Promela statement, so where it is in the source code will affect when it is checked – During a simulation, Spin complains if the assertion fails – Spin can also attempt to verify that the assertion holds for all possible runs (i.e. all choices) – And Spin can find failing runs Automated Reasoning SPIN Lecture 10, page 10

  11. Fred's Drink Problem Revisited Recall Fred's drink problem from lecture 2: Fred bought milk or Fred bought lemonade. Fred bought milk or Fred bought water. Fred did not buy both water and lemonade. What did Fred buy? To solve this with model checking, we can use the code from the previous example, with the following assertion: assert(! ( (bought_milk || bought_lemonade) && (bought_milk || bought_water) && !(bought_lemonade && bought_water) ) ); FredsDrinksAssert This should be placed after he has finished buying drinks. Automated Reasoning SPIN Lecture 10, page 11

  12. Fred's Drink Problem (II) We assert the negation of the goal, so that Spin will complain about runs where the goal is true (i.e. counterexamples are our solution). The following output, giving us a possible answer, is generated if one runs Spin enough times: % spin -T FredsDrinksAssert FRED DID NOT BUY lemonade FRED BOUGHT water FRED BOUGHT milk FRED HAS FINISHED BUYING THINGS. spin: line 70 "FredsDrinksAssert", Error: assertion violated spin: text of failed assertion: assert(!((((bought_milk|| bought_lemonade)&&(bought_milk||bought_water))&&! ((bought_lemonade&&bought_water))))) #processes: 1 bought_milk = 1 bought_lemonade = 0 bought_water = 1 num_drinks = 3 34: proc 0 (buy_drinks) line 70 "FredsDrinksAssert" (state 9) 4 processes created Automated Reasoning SPIN Lecture 10, page 12

  13. Fred's Drink Problem (III) ● Of course we do not want to run Spin over and over again! ● Spin can generate a verifier which checks all behaviours ● % spin -a <file> : generate C-code pan.c of the verifier ● Run the verifier pan to find the error trails % spin -a FredsDrinksAssert # build a verifier: spin puts this in pan.c % cc -o pan pan.c # compile the verifier to pan % ./pan -e -c5 # run the verifier and find up to 5 errors pan: assertion violated !((((bought_milk||bought_lemonade)&& ... pan: wrote FredsDrinksAssert1.trail pan: wrote FredsDrinksAssert2.trail pan: wrote FredsDrinksAssert3.trail ... State-vector 32 byte, depth reached 19, errors: 3 Automated Reasoning SPIN Lecture 10, page 13

  14. Fred's Drink Problem (IV) % spin -a FredsDrinksAssert # build a verifier: spin puts this in pan.c % cc -o pan pan.c # compile the verifier to pan % ./pan -e -c5 # run the verifier and find up to 5 errors pan: assertion violated !((((bought_milk||bought_lemonade)&& ... pan: wrote FredsDrinksAssert1.trail pan: wrote FredsDrinksAssert2.trail Error trails pan: wrote FredsDrinksAssert3.trail are written to ... these files State-vector 32 byte, depth reached 19, errors: 3 ... % ./pan -r1 # run error trail 1 ... FRED BOUGHT milk ... ... FRED BOUGHT lemonade ... ... FRED DID NOT BUY water ... ... FRED HAS FINISHED BUYING THINGS. ... ● The verifier for FredsDrinksAssert found 3 error trails ● Run pan -r X to simulate the model along trail X Automated Reasoning SPIN Lecture 10, page 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automated Reasoning Model Checking with Spin (III) Alan Bundy Automated Reasoning Model

Automated Reasoning Model Checking with Spin (III) Alan Bundy Automated Reasoning Model

Automated Reasoning Model Checking with Spin (III) Alan Bundy Automated Reasoning Model Checking with Spin (III) Lecture 12, page 1 Outline of Verification Process Objective: form one big automata, which Spin can use for verification.

1.01k views • 25 slides
Automated Reasoning Model Checking with SPIN (II) Alan Bundy Automated Reasoning SPIN (II)

Automated Reasoning Model Checking with SPIN (II) Alan Bundy Automated Reasoning SPIN (II)

Automated Reasoning Model Checking with SPIN (II) Alan Bundy Automated Reasoning SPIN (II) page 1 Verifying Global Properties Assertions can be used to verify a property locally locally For example, place assert(MemReturned) at the

441 views • 25 slides
Automated Reasoning LTL Model Checking Alan Bundy Automated Reasoning LTL Model Checking

Automated Reasoning LTL Model Checking Alan Bundy Automated Reasoning LTL Model Checking

Automated Reasoning LTL Model Checking Alan Bundy Automated Reasoning LTL Model Checking Lecture 9, page 1 Introduction So far we have looked at theorem proving Powerful, especially where good sets of rewrite rules or decision procedures

639 views • 26 slides
Automated Reasoning 6 AI Slides (6e) c Lin Zuoquan@PKU 1998-2020 1 6 6 Automated Reasoning

Automated Reasoning 6 AI Slides (6e) c Lin Zuoquan@PKU 1998-2020 1 6 6 Automated Reasoning

Automated Reasoning 6 AI Slides (6e) c Lin Zuoquan@PKU 1998-2020 1 6 6 Automated Reasoning 6.1 Automated theorem proving 6.2 Forward and backward chaining 6.3 Resolution 6.4 Model checking AI Slides (6e) c Lin Zuoquan@PKU

1.02k views • 97 slides
Automated Reasoning Lecture 3: Tie NuSMV Model Checler Jacques Fleuriot jdf@inf.ed.ac.uk Recap

Automated Reasoning Lecture 3: Tie NuSMV Model Checler Jacques Fleuriot jdf@inf.ed.ac.uk Recap

Automated Reasoning Lecture 3: Tie NuSMV Model Checler Jacques Fleuriot jdf@inf.ed.ac.uk Recap Previously: Model Checking Introduction Linear Temporal Logic Tiis time: An implementation of LTL Model Checking NuSMV NuSMV

442 views • 23 slides
Automated Reasoning: Some Successes and New Challenges Predrag Jani ci c

Automated Reasoning: Some Successes and New Challenges Predrag Jani ci c

What is this talk about? What is automated reasoning? Automated reasoning in propositional logic Automated reasoning in first-order logic Automated reasoning in higher-order logic Automated reasoning in geometry Conclusions Automated

806 views • 52 slides
VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking

VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking

VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking Model checking Automated formal verification for finite-state models Finite-state model System Result Model checker e.g. SMV, Spin Counter-

776 views • 58 slides
Automated Reasoning Course Presentation Summary Automated Reasoning Motivations Course Plan

Automated Reasoning Course Presentation Summary Automated Reasoning Motivations Course Plan

Automated Reasoning Automated Reasoning Course Presentation Summary Automated Reasoning Motivations Course Plan Resources Exam Methods Motivations Automated Reasoning Automated reasoning mechanising the reasoning process. reasoning :

159 views • 14 slides
Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking

Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking

Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking ELEC-E8110 Automation Systems Synthesis and Analysis Igor Buzhinsky igor.buzhinskii@aalto.fi 2018 Igor Buzhinsky Lecture 5 2018 1 / 28 Symbolic

833 views • 61 slides
Verifying Automated Reasoning Results Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/

Verifying Automated Reasoning Results Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/

Verifying Automated Reasoning Results Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/ https://github.com/marijnheule/proof-demo Automated Reasoning and Satisfiability, October 10, 2019 1 / 53 Outline Introduction Proof Checking

825 views • 80 slides
Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is Model Checking? Model checking is an automated technique that, given a finite-state model of a system and a logical property , systematically

484 views • 36 slides
Automated Reasoning for System Security and Privacy Laura Kovcs Chalmers Automated Reasoning

Automated Reasoning for System Security and Privacy Laura Kovcs Chalmers Automated Reasoning

Chalmers Automated Reasoning for System Security and Privacy Laura Kovcs Chalmers Automated Reasoning for Rigorous Systems Engineering In a vague sense, automated reasoning involves: 1. Representing a problem as a mathematical/logical

696 views • 53 slides
Automated Reasoning Introduction Jacques Fleuriot Automated Reasoning Introduction Lecture 1,

Automated Reasoning Introduction Jacques Fleuriot Automated Reasoning Introduction Lecture 1,

Automated Reasoning Introduction Jacques Fleuriot Automated Reasoning Introduction Lecture 1, page 1 What is it to Reason? Informally, reasoning is: to seek or attain knowledge or truth or the process of drawing conclusions with

876 views • 18 slides
Automated Reasoning 1 Automated Reasoning John Harrison Univ ersit y of Cam bridge

Automated Reasoning 1 Automated Reasoning John Harrison Univ ersit y of Cam bridge

Automated Reasoning 1 Automated Reasoning John Harrison Univ ersit y of Cam bridge What is automated reasoning? Automatic vs. in teractiv e. Successes of the AI and logic approac hes Dev elopmen t of

523 views • 23 slides
Automated Reasoning (what this course is about) AUTOMATED REASONING machine does 'thinking'

Automated Reasoning (what this course is about) AUTOMATED REASONING machine does 'thinking'

0ai Automated Reasoning (what this course is about) AUTOMATED REASONING machine does 'thinking' machine does book-keeping, Krysia Broda user does nothing user does 'thinking'. Room 378 Concerned with GENERAL DEDUCTION - applicable in many

390 views • 5 slides
8/8/2007 Model Checking Motivation More and more complex systems Increased dependability

8/8/2007 Model Checking Motivation More and more complex systems Increased dependability

8/8/2007 Model Checking Motivation More and more complex systems Increased dependability : everything important Demonstration Of depends on computers SPIN SPIN Increased functionality : security, mobility Testing is becoming

202 views • 3 slides
Lemonade Profile and Related Mobile Drafts Stphane H. Maes stephane.maes@oracle.com

Lemonade Profile and Related Mobile Drafts Stphane H. Maes stephane.maes@oracle.com

IETF 60 Lemonade San Diego, CA August 2004 Lemonade Profile and Related Mobile Drafts Stphane H. Maes stephane.maes@oracle.com Overview of Drafts IMAP profile draft-ietf-lemonade-profile-00.txt Server-client

551 views • 12 slides
Ontologies and Knowledge-based Systems Is there a flexible way to represent relations? How can

Ontologies and Knowledge-based Systems Is there a flexible way to represent relations? How can

Ontologies and Knowledge-based Systems Is there a flexible way to represent relations? How can knowledge bases be made to interoperate semantically? D. Poole and A. Mackworth 2017 c Artificial Intelligence, Lecture 14.1, Page 1 1 / 12

336 views • 18 slides
Choosing Objects and Relations How to represent: Pen #7 is red. 2 Its easy to ask

Choosing Objects and Relations How to represent: Pen #7 is red. 2 Its easy to ask

Choosing Objects and Relations How to represent: Pen #7 is red. 2 Its easy to ask Whats red? Cant ask what is the color of pen 7 ? 3 Its easy to ask Whats red? Its easy to ask What is the color

311 views • 16 slides
Peaches, Lemons, and Cookies: Designing Auction Markets with Dispersed Information Moshe

Peaches, Lemons, and Cookies: Designing Auction Markets with Dispersed Information Moshe

Peaches, Lemons, and Cookies: Designing Auction Markets with Dispersed Information Moshe Babaioff (Microsoft Research) Joint work with Ittai Abraham (Microsoft Research), Susan Athey (Harvard &amp; Microsoft) Michael Grubb (MIT) Innovations

636 views • 44 slides
Policy-driven Negotiation for Authorization in the Grid Ionut Constandache Duke University

Policy-driven Negotiation for Authorization in the Grid Ionut Constandache Duke University

Policy-driven Negotiation for Authorization in the Grid Ionut Constandache Duke University Daniel Olm edilla L3S Research Center Frank SiebenList Argonne National Laboratory 8 th IEEE POLICY Bologna, Italy, 15 th June 20 0 7 Outline

414 views • 19 slides
QC ARCHITECTURE: WHEN LIFE GIVES YOU LEMONS University of Michigan LEMONS LEMONADE

QC ARCHITECTURE: WHEN LIFE GIVES YOU LEMONS University of Michigan LEMONS LEMONADE

Igor L. Markov QC ARCHITECTURE: WHEN LIFE GIVES YOU LEMONS University of Michigan LEMONS LEMONADE Traditional digital systems Qubit systems Huge numbers of fast gates and wires Very few, flaky gates; so-so interconnect of

765 views • 14 slides
by Rich Mayorga Awards are fine; they do NOT = respect Speak the truth, model, vote,

by Rich Mayorga Awards are fine; they do NOT = respect Speak the truth, model, vote,

by Rich Mayorga Awards are fine; they do NOT = respect Speak the truth, model, vote, volunteer Teacher respect for me = AP facilitator Our kids are not capable, is not just Create programs for all levels of kids

379 views • 15 slides
SIKS tutorial Agent Systems Multi-agent learning Gerard Vreeswijk Intelligent Systems

SIKS tutorial Agent Systems Multi-agent learning Gerard Vreeswijk Intelligent Systems

Introduction Cournot dynamics Alternative Cournot dynamics SIKS tutorial Agent Systems Multi-agent learning Gerard Vreeswijk Intelligent Systems Group, Computer Science Department Faculty of Sciences, Utrecht University, The Netherlands

1.45k views • 141 slides

More recommend