huthmodelcheckspin(loc 3rd chapter)

8/12/2019 HuthModelCheckSpin(Loc 3rd Chapter)

1/107

Verification by Model Checking 1

Verification by Model Checking

Formal Methods Laboratory

University of Tehran

Based on the chapter 3 of Logic in Computer Science,

Huth & Ryan


2/107


Part 1 : Motivation


3/107


Introduction

Verification: verifying the correctness of

computer systems

hardware, software or combination

It is most obvious in

safety-critical systems

commercially critical

mission critical


4/107


Verification parts

Formal Verification techniques consist of three

parts:

1. A framework for modeling systems

some kind of specification language

2. A specification language

for describing the properties to be verified

3. A verification method

for establishing if the description of the system

satisfies the specification


5/107


Classification

Approaches to verification can be classified in

several ways:

Proof-based vs. model-based

Degree of automation

Full- vs. property- verification

Intended domain of application

hardware-software, sequential-concurrent, reactive-terminating,

Pre- vs. post- development


6/107


Proof-based verification

The system description is a set of formulain a

suitable logic

The specification is another formula

The verification method is finding a proof that

means deduction

It typically needs the user guidance and expertise


7/107


Model-based verification

The system is represented by a model Mfor an

appropriate logic

The specification is again represented by a

formula

The verification method consist of computing

whether a model Msatisfies

Msatisfies : M The computation is usually automaticfor finite

models


8/107


Degree of automation

From fully automated to fully manual


9/107


Full- vs. property-verification

The specification may describe a single property

of the system, or it may describe its full behavior

(expensive).


10/107


Intended domain of application

Hardware, software

Sequential, concurrent

Reactive , terminating

Reactive: reacts to its environment, and is not meant to

terminate (e.g. operating systems, embedded systems,

computer hardware)


11/107


Pre- vs. post-development

Verification is of greater advantage if introduced

early in system development


12/107


Model checking

Model checking is an automatic, model-based,property-verificationapproach

It is intended to be used for concurrentand

reactivesystems The purpose of a reactive system is not necessarily to

obtain a final result, but to maintain some interactionwith its environment

Concurrency bugs non reproducible

not covered by test cases


13/107


14/107


Temporal Logic (cont.)

In model checking:

The models Mare transition systems

The properties are formulas in temporal logic

Model checking steps:

1. Model the system using the description language of a

model checker : M

2. Code the property using the specification language ofthe model checker :

3. Run the model checker with the inputs Mand


15/107


Model checker

M

ModelChecker

p F qyes

no

Error Trace


16/107


Linear vs. Branching

Linear-time logics think of time as a set of paths

path is a sequence of time instances

Branching time logics represent time as a tree

it is rooted at the present moment and branches out

into the future

Many logics were suggested during last years that

fit into one of above categories We study LTL in linear time logics and CTL in

branching time logics


17/107


Linear vs. Branching (cont.)

Linear Time

Every moment has a

unique successor

Infinite sequences(words)

Linear Time Temporal

Logic (LTL)

Branching Time

Every moment has

several successors

Infinite tree

Computation Tree

Logic (CTL)


18/107


CTL

Branching time


19/107


Computational tree logic

Syntax:

::= F | T | p | (~) |

(/\ ) | (\/) | (-> ) |

AX| EX| A[U] | E[U] |

AG| EG| AF| EF

Where p ranges over atomic formulas/descriptions.


20/107


AX, EX, AG, EG, AU, AF, EF : temporal connectives

The first of the pair A means along All paths E means along at least (there Exist) one path

The second one of the pair X means neXt state F means some Future state G means all future states (Globally) U means Until


21/107


Convention

Binding priorities

Unary connectives: ~, AG, EG, AF, EF,AX, EX

/\ , \/ -> , AU, EU


22/107


Well-formed CTL formulas:

EGr

AG(q -> EGr)

different from AGq -> EGr , which is(AGq) -> (EGr)

A[p U EFr]

EF EG p -> AFr


23/107


EFGr

AEFr

AGp

EF(rUq) ??

U can only be paired with an A or an E

EF E[rUq] or EF A[rUq]

AF[(rUq) /\ (pUr)] ??

Boolean connective (/\) cannot be directly inside A[]

or E[]


24/107


Example

The parse tree of A[AX ~p U E[EX(p/\q)U ~p]]

according to precedence rules


25/107


Transition System

A model M= (S, ,L) for CTL is S: a finite set of states

: a binary relation on S, such that everys Shas

somes 'Swiths s ' L: a labeling functionL: S P( Atoms)

P( Atoms) means the power set of Atoms

The interpretation of the labeling function is thateach stateshas a set of atomic propositionsL(s)

which are true at that particular state


26/107


Example

p,q

q,rq

s0

s1s2

S= {s0,s1,s2}

transitions =s0s1,s1s1,s2s1,s2s0,s0s2

L(s0)= {p,q}

L(s1) = {q}

L(s2) = {q,r}


27/107


Deadlock

We will call the transition systems simply models

in our discussions

According to the definition of a model, for each

sSthere is at least ones' S

No state of a system may be deadlocked

If a system has a deadlock, we always add an

extra statesdrepresenting the deadlock


28/107


Deadlock state

s0 s1

s2

s3

s3doesnt have anyfurther transitions

adding a deadlock

state sd

s0 s1

s2

s3

sd


29/107


Unwinding

We can unwind the transition system to obtain an

infinite computation tree

The execution paths of a model M are explicitly

represented in the tree obtained by unwinding thetree


30/107


Unwinding: example

p,q

q,rq

s0

s1 s2

p,q

p,q

s0

q,r

s2

q

s1

q

s1

q,r

s2 s0

p,qq,r

s2 s0

q

s1

q,r

s2

q

s1

an arbitrary

path


31/107


Formal Semantics

Let M= (S, ,L) be a model and =s1be a path in M

Whether satisfies an CTL formula is defined

by the satisfaction relation as follows:1

2

3

4


33/107


Next

7. M,s |= AXifffor all s1 such that

s->s1 we have M,s|= .

Thus, AX says in every next state 8. M,s |= EXifffor some s1 such that s->s1 we

have M,s|= .

Thus, EX says in some next state


34/107


Globally

9. M,s |= AGholds ifffor allpaths

s1->s2->s3-> where s1 equals s, and for all sialong the path, we have M,si |= .

For allcomputation paths beginning in s the

property holds Globally(including the initial

state).


35/107


10. M,s |= EGholds iff there is apath s1->s2-

>s3-> where s1 equals s, and for all si alongthe path, we have M,si |= .

There exista path beginning in s such that theproperty holds Globally(including the initial

state).


36/107


Finally

11. M,s |= AFholds ifffor allpaths

s1->s2->s3-> where s1 equals s, there is some sialong the path, such that we have M,si |= .

For allcomputation paths beginning in s there will

be some Futurestate where holds.


37/107


12. M,s |= EFholds iff there is apath s1->s2-

>s3-> where s1 equals s, and for some si alongthe path, we have M,si |= .

There exista path beginning in s such that theproperty holds insomeFuture state.


38/107


Until

13. M,s |= A[1U 2] holds ifffor allpaths

s1 -> s2 -> s3 -> where s1 equals s, that pathsatisfies 1U 2, i.e. there is some si along the

path, such that we have M,si |= 2, and, for eachj


39/107


A note for Until

Until says nothing about what happens after theUntil has been realized

This can be different from natural English

speaking For example:

She continued working until she married

We may interpret the sentence as she discontinued

working after marriage The above understanding is related to this formula

workingU ( marriageG working)


40/107


P.160: EF, EG

P.161: AF, AG

P.162: Until


41/107


Some practical patterns

It is possible to get to a state where startedholds,

but readydoes not hold

EF (startedready)

For any state, if a request occurs, then it willeventually be acknowledged

AG (requested AF acknowledged)

Whatever happens, a certain process willeventually be permanently deadlocked

AF (AG deadlock)


42/107


43/107


Part 2 : LTL

Amir Pnueli

The Weizmann

Institute of Science


44/107


LTL

LTL : Linear-time Temporal Logic

It has some connectives for referring to the future

It models time as a sequence of states, extending

infinitely to future

computation path

The future is not determined, we should consider

several paths for different futures Any one of the paths can be the actual path that is

realized


45/107


Atoms

We work with a fixed set of atomic formulas (like

p, q, r,) They stands for atomic facts which hold for a

system Process 897 is blocked

The variablex2is zero

The content of registerR1is 01010


46/107


Syntax of LTL

The syntax of LTL in BNF is:

where p is any propositional atom from some set

Atoms

X, F, G, U, R, W: temporal connectives


47/107


Temporal Connectives

X: neXt state

F: some Future state ( eventually)

G: all future states (Globally)

U: Until

R: Release

W: Weak-until


48/107


Operator precedence

Unary operators including negation have strongestprecedence

p U qis parsed as (p) U qrather than (p U q)

Temporal binary operators have strongerprecedence than non-temporal binary operators

p q U r is parsed as: p (q U r)

The precedence overpropositional logicis as usual

First do the AND

then the ORs and XORs

finally the IMPLIES and EQUIVALENCEs.


49/107


Example

The parse tree of Fp Gq p W raccording to

precedence rules

r

W

GF

qp

p


50/107


Transition System

A transition system is a structure M= (S, ,L)where

S: a finite set of states

: a binary relation on S, such that everys Shassomes 'Swiths s ' L: a labeling functionL: S P( Atoms)

P( Atoms) means the power set of Atoms

The interpretation of the labeling function is thateach stateshas a set of atomic propositionsL(s)which are true at that particular state


51/107


Example

p,q

q,rq

s0

s1s2

S= {s0,s1,s2}

transitions =s0s1,s1s1,s2s1,s2s0,s0s2

L(s0)= {p,q}

L(s1) = {q}

L(s2) = {q,r}


52/107


Deadlock

We will call the transition systems simply models

in our discussions

According to the definition of a model, for each

sSthere is at least ones' S

No state of a system may be deadlocked

If a system has a deadlock, we always add an

extra statesdrepresenting the deadlock


53/107


Deadlock state

s0 s1

s2

s3

s3doesnt have anyfurther transitions

adding a deadlock

state sd

s0 s1

s2

s3

sd


54/107


Paths

A path in a model M= (S, ,L) is an infinitesequence of statess1,s2,s3,in Ssuch that, foreach i1,si si+1.

We write paths ass1s2s3 Each arbitrary path ( e.g. =s1s2)

represents a possible future of the system

first it is ins1, thens2and so on

We write ifor the suffix starting atsi 2iss2s3


55/107


Unwinding

We can unwind the transition system to obtain an

infinite computation tree

The execution paths of a model M are explicitly

represented in the tree obtained by unwinding thetree


56/107


Unwinding: example

p,q

q,rq

s0

s1 s2

p,q

p,q

s0

q,r

s2

q

s1

q

s1

q,r

s2 s0

p,qq,r

s2 s0

q

s1

q,r

s2

q

s1

an arbitrary

path


57/107


Informal semantics

Globallyp: G p

G pis true in a state ifpholds at all points of time

(along the path) starting from that state

p=

Suppose G pholds in the initial state

0 1 2 3


58/107


Informal semantics (cont.)

Eventuallyp:F p

F pis true in a state ifpholds at some points in

the future, stating from the state

p=

SupposeF pholds in the initial state

0 1 2 3


59/107



Nextp:X p

X pis true along a path starting in a state ifp

holds in the next state

p=

SupposeX pholds in state at t=2

0 1 2 3


60/107



p Until q:p U q

p Uqis true in statesif

qis true in some state reachable froms

p is true in all states fromsuntil qholds

p= q=

Supposep U qholds in the initial state

0 1 2 3


61/107


A note for Until

Until says nothing about what happens after theUntil has been realized

This can be different from natural English

speaking For example:

She continued working until she married

We may interpret the sentence as she discontinued

working after marriage The above understanding is related to this formula

workingU ( marriageG working)


62/107


63/107


Formal Semantics (cont.)

5

6

7

8

9

10


64/107


Formal Semantics (cont.)

Until and Release are dual

: R (U )11

12

Or for all k>=1 we have


65/107


Release

Release R is dual of U; that is:

R (U )

must remain true up to and including the

moment whenbecomes true (if there is one);

releases


66/107


Weak Until

W: Weak Until is related to the Until with

the difference that it does not require that is

eventually hold

Essentially Wis a short form for writingU G


67/107


LTL satisfaction by a system

Suppose M= ( S, ,L) is a model,sS, and an LTL formula

We write M,s if for every execution path of

Mstarting ats, we have Sometimes M,s is abbreviated ass


68/107


Example

p,q

p,q

s0

q,r

s2

q

s1

q

s1

q,r

s2 s0

p,qq,r

s2 s0

q

s1

q,r

s2

q

s1

1. M,s0 X q

2. M,s0 G (pr)

3. M, s1 G q

4. M,s0pU q


69/107


Some practical patterns

It is impossible to get to a state where started

holds, but readydoes not hold

G (startedready)

For any state, if a request occurs, then it willeventually be acknowledged

G (requested F acknowledged)

Whatever happens, a certain process willeventually be permanently deadlocked

F G deadlock


70/107


71/107


LTL weakness

The features which assert the existence of a pathare not(directly) expressible in LTL

This problem can be solved by: checking whether

all paths satisfy the negation of the requiredproperty

A positive answer to this is a negative answer toour original question and vice versa.

BUT: properties which mixuniversal andexistential path quantifiers cannot in general beexpressed in LTL


72/107


LTL Weakness: Examples

LTL cannot express these features:

From any state it ispossibleto get to a restartstate

(i.e., there is a path from all states to a state satisfying

restart) The lift canremain idle on the third floor with its door

closed (i.e., from the state in which it is on the third

floor, there is a path along which it stays there)

LTL cannot assert these because it cannot directlyassert the existence of paths

However, CTL can express these properties


73/107


Expressing Properties by CTL

From any state it ispossibleto get to a restartstate

(i.e., there is a path from all states to a state satisfying

restart)

AG(EF restart)

The lift canremain idle on the third floor with its door

closed (i.e., from the state in which it is on the third

floor, there is a path along which it stays there)

AG (floor3 & idle & doorclosed EG (floor3 & idle &doorclosed))


74/107


Equivalence

We say that two LTL formulas and are

semantically equivalent if for all models Mand all paths in M: iff

The equivalence of andmeans that and are semantically interchangeable

F and G are duals of each other

G F F G X is dual with itself

X X


75/107


F distributes over and G over

F () FF G ( ) GF

Note that the above formulas are dual

But these equivalences do not hold

F () FF

G ( ) GF

Equivalence (cont.)


76/107


77/107


Adequate Sets

Definition: A set of connectives is adequate if all

connectives can be expressed using it

X cannot be derived from any combination of the

others Each of these sets is adequate for LTL

{U,X}

{R,X}

{W,X}


78/107


79/107


Safety: Only one process is in its critical section

at any time.

Liveness: Whenever any process requests to enter

its critical section, it will eventually be permittedto do so.

Non-blocking: A process can always request to

enter its critical section. No strict sequencing: Processes need not enter

their critical section in strict sequence.


80/107

2


81/107


2 process mutex

s0

n1n

2

c1n

2

t1t2

n1t2t

1n

2

n1c

2

t1c

2c

1t2

s1 s5

s2

s6

s7s4

s3

The processes are asynchronous interleaved

one of the processes makes a transition while the other remains

in its current state

Th i


82/107


The properties

Safety: G (c1c2) This formula is satisfied in all states

Liveness: G (t1 F c1)

This formula is not satisfied in the initial state!

s0s1s3s7 s1s3s7

Non blocking: For every state satisfying n1, there is asuccessorsatisfying t1.

NO strict Sequencing: Consider complement. All the paths

having C1 can not have further C1 until C2 occurs - False

- strict sequence need not occur is true


83/107


84/107

CTL* and the expressive powers of


85/107


CTL and the expressive powers of

LTL and CTL

CTL over LTL: CTL allows explicitquantification over paths

LTL over CTL: CTL does not allow one to select

a range of paths by describing them with aformula, as LTL does.

In LTL: all paths which have apalong them also have

a qalong them: Fp Fq

In CTL none of these are the same: AFpAF q

Or AG (p AF q)

CTL*


86/107


CTL*

Drop the CTL constraint that every The syntax of CTL* involves two classes of

formulas:

State formula, which are evaluated in states Path formulas, which are evaluated along paths

F i


87/107


Fairness

Fairness: Fairness is a subtle subject

There are several popular definitions of Fairness, such as weakfairness, strong fairness,

1. Weak (Buchi) fairness: an action cannot be enabledforeverwithout being taken FG (enabled taken ) = GF (enabled taken)

2. Strong (Streett) fairness: an action cannot be enabled

infinitely oftenwithout being taken (GF enabled ) (GF taken )

(Thomas A. Henzinger, Four Lectures on Model Checking)

Th ti


88/107


The properties

Strong fairness makes model checking moredifficult

We consider only weak fairness for our example

Weak Fairness: GF ( t1c1) This constraint is also violated in the cycle

s0s1s3s7 s1s3s7


89/107


90/107

Pl f thi t


91/107


Plan for this part

In this part of the lecture, we will model a wellknown problem in the computer science

The mutual exclusion problem

We will study the modeling approach in the Spinmodel checker

To get familiar with this tool, you have to model

some more problems yourself

S i


92/107


Spin

SPIN (Simple Promela Interpreter)[Holzmann 1991]

Spin is the state-of-the-art model checker

More than two decades of research

12 workshops so far

Concurrent systems are described in a modelinglanguage calledPromela

GerardJ. Holzmann

NASA JPL Laboratoryfor Reliable Software

S i ( t )


93/107


Spin (cont.)

It was the winner of the 2001 ACM Software SystemAward

Some other Software System Award winners:

1983 UNIX

1986 TeX

1987 SMALLTALK

1991 TCP/IP

2002 Java

The award citation:"For SPIN, a highly successful and widely used software model-checking system based on "formal methods" from Computer Science. Ithas made advanced theoretical verification methods applicable to largeand highly complex software systems."

P l


94/107


Promela

Protocol/Process Meta Language

Specification language to model finite-state

systems

Loosely based on CSP dynamic creation of concurrent processes

communication via message channels can be

synchronous (i.e. rendezvous), or asynchronous (i.e.

buffered)

Features from Dijkstras guarded commandlanguage

Promela models


95/107


Promela models

A Promela model consist of:

1. type declarations

2. channel declarations

3. global variable

declarations

4. process declarations

5. [initprocess]behaviourof the processes:local variables + statements

- simple vars- structured vars

- vars can be accessed

by allprocesses

initialisesvariables and

startsprocesses

chan ch = [dim] of {type, }asynchronous: dim> 0rendezvous: dim== 0

mtype, constants,typedefs (records)

Promela Model (cont )


96/107


Promela Model (cont.)

It corresponds to a finite transition system

no unbounded: {data, channels, processes, process

creations}mtype = {MSG, ACK} ;

chan toS = ...

bool flag ;

proctype Sender ( bool a) {

....

}init {

...

}

Processbody

CreateProcesses


97/107

Process (cont )


98/107


Process (cont.)

A process type (proctype) consist of a name

a list of formal parameters

local variable declarations

bodyproctype Sender(chan in; chan out) {

bit sndB, rcvB;

do

:: out ! MSG, sndB ->

in ? ACK, rcvB;

if:: sndB == rcvB -> sndB = 1-sndB

:: else -> skip

fi

od

}

name

body

formal parameters

The body consist of a

sequence of statements.

localvariables

Process (cont )


99/107


proctype Foo(byte x) {

...}

init {

int pid2 = runFoo(2);

runFoo(27);}

active[3] proctype Bar() {

...

}

Process (cont.)

Process are created usingthe runstatement (which

returns the process id).

Processes can be created at

any point in the execution

(within any process).

Processes start executingafter the runstatement.

Processes can also becreated by adding active

in front of theproctype

declaration.

numberof procs. (opt.)

parameters will be

initialised to 0

Variables and Types


100/107


Basic types

bit turn=1; [0..1]bool flag; [0..1]

byte counter; [0..255]

short s; [-215.. 2151]

int msg; [-231.. 2311]

Arraysbyte a[27];

bit flags[4];

Typedef (records)

typedef Record {

short f1;byte f2;

}

Record rr;

rr.f1 = ..

Variables and Types

Five different (integer)basic types.

Arrays

Records (structs)

Type conflicts are detected

at runtime

Default initial value of

basic variables (local and

global) is 0

array indexingstart at 0

variabledeclaration


101/107

Statements


102/107


Statements

A statement is either Executable : if evaluates to non-zero

Blocked : if evaluates to zero

An assignment statement is always executable Examples :

1 always executable

0 always blocked (halt)

2 < 3 always executable X < 10 executable, if X is less than 10

5 + Y executable, if Y is not equal to -5


103/107

if statement


104/107


if-statement

If there is at least one choice executable, ifstatement is executable

One of the executable choices is non-

deterministically chosen If no choice is executable, the if-statement is

blocked until it becomes executableif

:: choice1-> stat1.1; stat1.2; stat1.3;


::

:: choicen-> statn.1; statn.2; statn.3;

fi

do statement


105/107


do-statement

Behaves in the same way as if-statement withrespect to choices

The only difference is it repeats

break ( always executable ) exits a do-loop

do


:: choice2-> stat

2.1; stat

2.2; stat

2.3;

::

:: choicen-> statn.1; statn.2; statn.3;

od

Interleaving semantics


106/107


Interleaving semantics

Promela processes execute concurrently.

Non-deterministic scheduling of processes.

Processes are interleaved, not statements within a

single process. Statements of different processes do not occur at

the same time.

All statements are atomic.


107/107

Any question?

huthmodelcheckspin(loc 3rd chapter)

Documents