Modeling Behaviour of Systems � Where are we? CISC422/853: Formal Methods • We’ve decided to use FSAs to model the behaviour of software systems in Software Engineering: • Have seen: ° Definition Computer-Aided Verification ° Two types of parallel composition ° Various extensions � What’s next? Topic 6: Intro to Promela and Spin • But, to be able to feed FSAs into a model checker, we need to be able to express FSAs textually in some language Juergen Dingel • Also, it would be nice if that language was as high-level (user- friendly) as possible. Feb, 2009 Readings: • 2 examples for modeling languages based on FSAs: Spin book, Chapters 3, 7, 11, 12 ° BIR (used by Bogor model checker) ° Promela (used by Spin model checker) CISC422/853, Winter 2009 1 CISC422/853, Winter 2009 2 Promela and Spin Intro to Promela � Promela (PROcess MEta LAnguage): � http://spinroot.com/spin/Doc/SpinTutorial.pdf : • modeling language used to describe concurrent systems, e.g., ° network protocols, telephone systems ° multi-threaded programs that communicate via q shared variables, or q synchronous/asynchronous message passing • used by… � SPIN (Simple Promela INterpreter): • analyzes Promela programs to detect errors such as ° deadlocks, race conditions, ° violations of assertions, invariants, safety and liveness properties • developed since late 1970s by Gerard Holzmann at Bell Labs (now at NASA’s Jet Propulsion Lab) • received ACM Software System award in 2001 CISC422/853, Winter 2009 3 CISC422/853, Winter 2009 4
CISC422/853, Winter 2009 5 CISC422/853, Winter 2009 6 CISC422/853, Winter 2009 7 CISC422/853, Winter 2009 8
CISC422/853, Winter 2009 9 CISC422/853, Winter 2009 10 CISC422/853, Winter 2009 11 CISC422/853, Winter 2009 12
CISC422/853, Winter 2009 13 CISC422/853, Winter 2009 14 CISC422/853, Winter 2009 15 CISC422/853, Winter 2009 16
CISC422/853, Winter 2009 17 CISC422/853, Winter 2009 18 CISC422/853, Winter 2009 19 CISC422/853, Winter 2009 20
CISC422/853, Winter 2009 21 CISC422/853, Winter 2009 22 CISC422/853, Winter 2009 23 CISC422/853, Winter 2009 24
More Promela � atomic • force sequence of statements to be executed atomically • should use as little as possible (why?) � timeout • becomes executable when no other statement is executable • note that there’s no time argument • should use as little as possible (why?) � labels • for gotos • for identifying used to ° accepting states: E.g.: accept0: do :: true od express ° end states properties ° progress states: E.g.: progress: sendbit = 1-sendbit (more later) CISC422/853, Winter 2009 25 CISC422/853, Winter 2009 26 More Promela (Cont’d) Using Spin � macros (cpp preprocessor) • #define DEBUG 1 • #ifdef DEBUG � All described in • G. Holzmann, The Spin Model Checker: Primer and Reference Manual. Addison Wesley. 2003. • www.spinroot.com CISC422/853, Winter 2009 27 CISC422/853, Winter 2009 28
Using Spin (Cont’d) Using Spin (Cont’d) � Use Spin/XSPIN to � >spin –a mysys.prom • creates dedicated PROMELA analyzer C program ( pan .*) that • check syntax of model: spin –A model.prom implements an exhaustive search on the system described in • simulate the model mysys.prom ° interactively: spin –p model.prom � >gcc pan.c –o pan.exe ° randomly: spin –i –p model.prom • compiles the analyzer source ( pan.c ) to yield an executable • generate verifier: spin –a model.prom ( pan.exe ) • inspect/display error traces: spin –t –p model • lots of compiler flags � Use verifier to check model for � >pan.exe • runs the analyzer • assertion violations • lots of command-line flags • deadlock (invalid endstates) (default) • produces mysys.prom.trail containing violating trace • non-progress and acceptance cycles � >spin –t mysys.prom • complex temporal properties expressed as • runs SPIN in simulation mode along the trace in mysys.prom.trail ° Never claims • prints out diagnostic information ° Linear Temporal Logic formula CISC422/853, Winter 2009 29 CISC422/853, Winter 2009 30 CISC422/853, Winter 2009 31 CISC422/853, Winter 2009 32
PROMELA Semantics Using XSPIN Each PROMELA proctype (process) p describes an FSA (S, S 0 , L, δ , F) with � states S: control locations in p � initial states S 0 : {first control location in p} � labels L: basic statements in p • assignments: x=e XSPIN also • assertions: assert(b ) generates • print statements: printf(“%d\n”, x) graphical • send or receive statements: c!3 or c?x representation • expression statements: (x==3) of FSA corresponing to PROMELA model CISC422/853, Winter 2009 33 CISC422/853, Winter 2009 34 PROMELA Semantics (Cont’d) PROMELA Semantics (Cont’d) Each PROMELA proctype (process) p describes an FSA For example: (S, S 0 , L, δ , F) with � transition relation δ : Control flow graph of p � final states F: combination of • end states: last location of p and locations labeled with “end” • progress states: locations in p labeled with “progress” • accepting states: locations in p labeled with “accept” depending on what we check for (more on this later) Note: • Basic statements change variables • if, goto, ;, ->, do, break, unless, atomic are not basic statements and are not used as labels CISC422/853, Winter 2009 35 CISC422/853, Winter 2009 36
PROMELA Semantic Engine PROMELA Semantic Engine (Cont’d) � Semantic engine of SPIN constructs PROMELA model Semantic engine stores information about (i.e., the iFSA corresponding to the FSA representing � global variables (e.g., current values) the PROMELA program) in step by step manner � message channels (e.g., current contents) � Construction of model and error checking happens at � processes the same time (“on-the-fly” model checking) • names, types, initial, and current values of local variables � Two basic modes • current state (i.e., control location) • simulation (random, guided, interactive) • transition relation • verification ° source and target location of transition ° enabledness condition and effect of transition CISC422/853, Winter 2009 37 CISC422/853, Winter 2009 38 Random Simulation Algorithm of Simplified Verification Algorithm of SPIN’s Semantic Engine SPIN’s Semantic Engine � By default, SPIN uses a depth first search algorithm (DFS) to generate and explore the complete state space Visit all while (!error & !allBlocked) { while (!error & !allBlocked) { � processes Can also ask for BFS ActionList menu = getCurrentExecutableActions(); ActionList menu = getCurrentExecutableActions(); and collect all requires procedure dfs(s: state) { allBlocked = (menu.size() = = 0); executable procedure dfs(s: state) { allBlocked = (menu.size() = = 0); “state matching” actions if error(s) reportError(CurrentPath); if (! allBlocked) { if error(s) reportError(CurrentPath); if (! allBlocked) { foreach (successor t of s) { Action act = menu.chooseRandom(); implemented foreach (successor t of s) { Action act = menu.chooseRandom(); Execute act as hash table if (t not in AlreadySeen) { error = act.execute(); if (t not in AlreadySeen) { error = act.execute(); and make add t to AlreadySeen; } system enter add t to AlreadySeen; } stack containing the new state push(t, CurrentPath); } push(t, CurrentPath); path from initial to } dfs(t); current state dfs(t); pop(CurrentPath); pop(CurrentPath); For interactive simulation: act is chosen by the user } } More later! } } CISC422/853, Winter 2009 39 CISC422/853, Winter 2009 40
More Info on PROMELA and SPIN � Gerard Holzmann. The Spin Model Checker: Primer and Reference Manual. Addison Wesley. 2003 • Chapter 3 (Promela) • Chapter 7 (Semantics) • Chapter 11 (Using Spin) • Chapter 12 (Using Xspin) � spinroot.com • spinroot.com/spin/Man/index.html ° Manual pages ° Basic Spin Manual ° Guidelines for using Spin and XSPIN ° Tutorials CISC422/853, Winter 2009 41
Recommend
More recommend
