selected titles in this series - american mathematical society · fred s. roberts, bernard...
TRANSCRIPT
Selected Title s i n Thi s Serie s (Continued from the front of this publication)
15 Nathanie l Dea n an d Gregor y E . Shannon , Editor s Computational Suppor t fo r Discret e Mathematic s
14 Rober t Calderbank , G . Davi d Forney , Jr. , an d Nade r Moayeri , Editor s
Coding an d Quantization : DIMACS/IEE E Worksho p
13 Jin-Y i Cai , Edito r
Advances i n Computationa l Complexit y Theor y
12 Davi d S . Johnso n an d Catherin e C . McGeoch , Editor s
Network Flow s an d Matching : Firs t DIMAC S Implementatio n Challeng e
11 Larr y Finkelstei n an d Willia m M . Kantor , Editor s
Groups an d Computatio n
10 Joe l Friedman , Edito r
Expanding Graph s
9 Willia m T . Trotter , Edito r
Planar Graph s
8 Simo n Gindikin , Edito r
Mathematical Method s o f Analysi s o f Biopolyme r Sequence s
7 Lyl e A . McGeoc h an d Danie l D . Sleator , Editor s
On-Line Algorithm s
6 Jaco b E . Goodman , Richar d Pollack , an d Willia m Steiger , Editor s Discrete
and Computationa l Geometry : Paper s fro m th e DIMAC S Specia l Yea r
5 Fran k Hwang , Fre d Roberts , an d Clyd e Monma , Editor s Reliability o f Compute r an d Communicatio n Network s
4 Pete r Gritzman n an d Bern d Sturmfels , Editor s Applied Geometr y an d Discret e Mathematics , Th e Victo r Kle e Festschrif t
3 E . M . Clark e an d R . P . Kurshan , Editor s
Computer-Aided Verificatio n '9 0
2 Joa n Feigenbau m an d Michae l Merritt , Editor s
Distributed Computin g an d Cryptograph y
1 Willia m Coo k an d Pau l D . Seymour , Editor s Polyhedral Combinatoric s
This page intentionally left blank
DIMACS Series i n Discret e Mathematic s
and Theoretica l Compute r Scienc e
Volume 3 2
The SPI N
Verification Syste m The Secon d Worksho p o n th e
SPIN Verificatio n Syste m Proceedings o f a DIMAC S Worksho p
August 5 , 199 6
Jean-Charles Gregoir e Gerard J . Holzman n
Doron A . Pele d Editors
NSF Scienc e an d Technolog y Cente r in Discret e Mathematic s an d Theoretica l Compute r Scienc e A consortiu m o f Rutger s University , Princeto n University ,
AT&T Labs, Bel l Labs , an d Bellcor e
American Mathematica l Societ y
https://doi.org/10.1090/dimacs/032
This DI M ACS volum e contain s th e proceeding s o f th e secon d worksho p o n th e SPI N
Verification Syste m hel d a t DIMACS on August 5 , 1996.
1991 Mathematics Subject Classification. Primar y 68Q60 ; Secondar y 68Q45 , 68Q10 , 68M10, 68N99 , 68Q68 , 68-06 .
Library o f Congres s Cataloging-in-Publicatio n Dat a
The SPI N Verificatio n Syste m (199 6 : New Brunswick, N . J.) The SPI N Verificatio n Syste m : DIMAC S workshop , Augus t 5 , 1996 / Jean-Charle s Gregoire ,
Gerard J . Holzmann , Doro n A . Peled, editors . p. cm . — (DIMAC S serie s i n discrete mathematic s an d theoretical compute r science , ISS N
1052-1798 ; v. 32) Workshop hel d a t Rutger s Univ . i n New Brunswick, N . J. Includes bibliographica l references . ISBN 0-8218-0680- 7 1. Compute r software—Verification—Congresses . 2 . SPI N (Compute r file)—Congresses.
I. Gregoire , Jean-Charles , 1960 - . II . Holzmann, Gerar d J. , 1951 - . III . Peled, Doron , 1962 - . IV. Title . V . Series . QA76.76V47W677 199 6 005.276—dc21 96-5483 9
CIP
Copying an d reprinting. Materia l in this book ma y be reproduced b y any means for educational and scientifi c purpose s withou t fe e or permissio n wit h th e exception o f reproduction b y service s that collec t fee s for delivery o f documents and provided tha t th e customary acknowledgmen t o f the source is given. Thi s consen t doe s not extend t o other kind s of copying for general distribution , for advertising o r promotiona l purposes , o r for resale . Request s fo r permission fo r commercial us e o f material shoul d b e addressed t o the Assistant t o the Publisher, America n Mathematica l Society , P. O . Box 6248, Providence , Rhod e Islan d 02940-6248 . Request s ca n also b e mad e b y e-mail t o reprint-permissionQams.org.
Excluded fro m thes e provision s i s material i n articles fo r which th e author hold s copyright . I n such cases , request s fo r permission t o use or reprint shoul d b e addressed directl y t o the author(s). (Copyright ownershi p i s indicated i n the notice i n the lower right-han d corne r o f the first pag e of each article. )
© 199 7 by the American Mathematica l Society . Al l rights reserved . The America n Mathematica l Societ y retain s al l right s
except thos e grante d t o the United State s Government . Printed i n the United State s o f America .
@ Th e paper use d i n this boo k i s acid-free an d falls withi n th e guidelines established t o ensure permanenc e an d durability .
10 9 8 7 6 5 4 3 2 1 0 2 01 00 99 98 9 7
CONTENTS
Foreword FRED S . ROBERTS , BERNAR D CHAZELLE , AN D STEPHE N R .
MAHANEY vi i
Preface JEAN-CHARLES GREGOIRE , GERAR D J . HOLZMANN , AN D
DORON A . PELE D i x
State spac e compressio n wit h grap h encode d set s J . - C H . GREGOIR E 1
Not checkin g fo r closur e unde r stutterin g GERARD J . HOLZMAN N AN D ORN A KUPFERMA N 1 7
On neste d dept h firs t searc h GERARD J . HOLZMANN , DORO N PELED , AN D MIHALI S YANNAKAKI S 2 3
Modelling an d analysi s o f a collisio n avoidanc e protoco l usin g SPI N an d UPPAAL
HENRIK EJERSB O JENSEN , KI M G . LARSEN , AN D ARN E SKO U 3 3
The applicatio n o f PROMEL A an d SPI N i n th e BO S projec t PIM KAR S 5 1
Implementing an d verifyin g MS C specification s usin g P R O M E L A / X S P I N
STEFAN LEUE AND PETER B. LADKIN 65
Creating implementation s fro m PROMEL A model s SIEGFRIED LOFFLE R AN D AHME D SERHROUCHN I 9 1
Modelling an d verificatio n o f th e MC S laye r wit h SPI N
PEDRO MERIN O AN D JOSE-MARI A TROY A 10 1
Protocol verificatio n wit h reactiv e PROMELA/RSPI N
ELIE NAJ M AN D FRAN K OLSE N 11 1
Outline fo r a n operationa l semantic s o f PROMEL A
V. NATARAJA N AN D GERAR D J . HOLZMAN N 13 3
A simulatio n an d validatio n too l fo r self-stabilizin g protocol s SANDEEP K . SHUKLA , DANIE L J . ROSENKRANTZ , AN D S . S . RAV I 15 3
vi CONTENT S
Dynamic analysi s o f SA/R T model s usin g SPI N an d modula r verificatio n JAVIER TUYA , JOS E R . D E DIEGO , CLAUDI O D E L A RIVA , AN D JOS E
A. CORRALE S 16 5
Memory efficien t stat e storag e i n SPI N WiLLEM ViSSE R AN D HOWAR D BARRINGE R 185
Foreword
The Second SPI N Workshop , held a t Rutger s Universit y on August 5 , 1996 , was part o f DIMAC S Specia l Yea r o n Logi c an d Algorithms . W e would lik e t o expres s our appreciatio n t o Jean-Charle s Gregoire , Gerar d J . Holzmann , an d Doro n A . Peled fo r thei r effort s t o organiz e an d pla n th e workshop .
The worksho p wa s par t o f th e broade r Specia l Yea r o n Logi c an d Algorithm s program whic h focuse d o n compute r aide d verification , finite models , an d proo f complexity. Th e specia l yea r encourage d collaboration s amon g ver y differen t re -search communitie s an d thi s volum e record s on e o f man y workshop s i n whic h thi s was achieved. W e extend ou r thanks t o Eri c Allender , Rober t Kurshan , an d Mosh e Vardi fo r thei r wor k ove r man y month s a s specia l yea r organizers .
DIMACS gratefull y acknowledge s th e generou s suppor t tha t make s thes e pro -grams possible . Th e Nationa l Scienc e Foundation , throug h it s Scienc e an d Tech -nology Cente r program , th e Ne w Jerse y Commissio n o n Scienc e an d Technology , DIMACS partner s a t Rutgers , Princeton , AT& T Labs , Bel l Labs , an d Bellcor e generously supporte d th e specia l year . Additiona l fundin g fro m Bel l Lab s allowe d increasing th e numbe r o f scientist s wh o coul d participate .
Fred S . Robert s Director
Bernard Chazell e Co-Director fo r Princeto n
Stephen R . Mahane y Associate Directo r
This page intentionally left blank
PREFACE
What I s SPIN ? SPI N i s a genera l too l fo r th e specificatio n an d forma l ver -ification o f softwar e fo r distribute d systems . I t ha s bee n use d t o detec t desig n errors in a wide range of applications, suc h a s abstract distribute d algorithms , dat a communications protocols , operatin g system s code , an d telephon e switchin g code . The verifie r ca n chec k fo r basi c correctnes s properties , suc h a s absence o f deadloc k and rac e conditions , logica l completeness , o r unwarrante d assumption s abou t th e relative speed s o f processes . I t ca n als o chec k fo r mor e subtle , syste m dependent , correctness propertie s expresse d i n th e synta x o f Linear-time Tempora l Logi c [14] . The too l translate s LT L formula e automaticall y int o automat a representation s [3] , which ca n b e use d i n a n efficien t on-the-fl y verificatio n procedure .
Some Background . Wor k o n the constructio n o f automated verificatio n sys -tems o f thi s typ e starte d abou t tw o decade s ago . Amon g th e first t o buil t a full y automated too l based on the reachability analysis of finite state models was Jan Ha -jek a t th e Technica l Universit y i n Eindhoven i n The Netherlands [4] . Betwee n 197 6 and 197 8 Hajek' s syste m Approver successfull y uncovere d bug s i n a serie s o f pub -lished design s fo r communication s protocols . Th e algorithmi c technique s o n whic h the Approver syste m wa s based , wer e unfortunatel y neve r revealed , an d therefor e the syste m coul d onl y inspire , bu t no t directl y influenc e relate d effort s b y others .
At approximatel y th e same time, Coli n West a t th e IBM research lab in Rusch -likon, Switzerland , worke d o n th e implementatio n o f a too l fo r Pitr o Zafiropulo' s duologue matrix analysis technique. Thi s work quickly lead West to develop his own variant o f a verification syste m [18] . Th e most visibl e resul t o f this work was a first verification, an d th e uncoverin g o f design flaws, i n th e X.2 1 recommendation fro m the CCIT T (no w the ITU ) wit h West' s perturbatio n analysi s procedure . Th e X.2 1 verification i s today frequentl y use d a s a litmu s tes t fo r ne w verification systems .
The wor k tha t ultimatel y lea d t o th e SPI N verificatio n syste m starte d a t Bel l Labs i n 1980 . Th e first incarnatio n o f the system , th e verifie r PAN , starte d finding bugs i n data-switc h contro l protocol s i n Novembe r 1980 . Lik e today' s SPIN , PA N
was a general on-the-fly verificatio n system , bu t unlik e SPI N i t was restricted t o th e verification o f only basic safety properties . Ove r a period often year s [5 , 6, 7 , 8 , 9], this too l evolved int o a powerful verificatio n syste m wit h ful l mode l checkin g capa -bilities. SPI N wa s first release d fo r genera l distributio n i n lat e 199 0 [10] , and ha s continued to evolve. Significan t improvement s in SPIN' S mode l checking capabilitie s were th e introductio n o f a partia l orde r reductio n metho d i n 199 4 [13 , 11 ] an d a built-in translatio n algorith m [3 ] fo r convertin g LT L formula e int o th e automat a recognized b y SPIN' S verificatio n engine . Th e cod e t o th e SPI N syste m i s availabl e from h t t p : / / n e t l i b . b e l l - l a b s . c o m / n e t l i b / s p i n / w h a t i s p i n . h t m l .
ix
x J . GREGOIRE, G . J. HOLZMANN, AN D D. PELED
Several other tool s with a similar lon g history exist . Description s can be found, e.g., i n [1 , 15, 16, 12] .
Tool Characteristics . SPI N ha s several distinguishin g feature s tha t mak e it well suite d fo r addressin g verificatio n problem s i n the general are a o f concurren t software design , an d telecommunications system s engineering :
• Th e specification languag e fo r SPI N i s a high-level , asynchronous an d non -deterministic, guarde d comman d language , tha t i s well suited fo r specifyin g software proces s behaviors , instea d of a synchronous notatio n tha t woul d be better suite d fo r specifying hardwar e circuits .
• Th e logi c use d i n SPI N i s base d o n the linear-tim e tempora l logi c LTL, instead o f a branching tim e tempora l logic , such as CTL .
• Th e verification procedur e use d i n SPI N i s based o n explicit stat e enumera -tion, rathe r tha n o n a symbolic stat e representation .
• SPI N use s an on-the-fly verificatio n algorith m [2] , storing a s little informa -tion i n memory a s is strictly necessar y fo r completing the verification task , instead o f a n offlin e (o r two-pass ) verificatio n procedure . N o transition s (edges) nee d b e stored wit h thi s method , an d efficient compressio n an d re -duction technique s are available to reduce the memory usag e to a minimu m without incurrin g undu e overhead , o r unpredictable performance .
• SPI N use s a genera l partia l orde r reductio n techniqu e [13 , 11] to exploi t regularities tha t ar e common i n asynchronous interleavin g systems , rathe r than th e BDD representation s tha t ar e common i n hardware verificatio n t o achieve the same effects .
• SPI N contain s a range of simulation options , with eithe r graphica l or textual output, tha t hav e proven their value in the pre-verification phas e of a design. A simple graphica l use r interfac e t o the system, calle d XSPIN , enhance s the usability o f the tool especiall y t o new or occasional users .
The Spi n Workshops . Thi s boo k contain s th e proceeding s o f th e secon d workshop o n work relate d t o the SPI N verificatio n system . A t the workshop, four -teen researc h paper s wer e presente d b y researchers fro m eigh t differen t countries .
The keynot e presentatio n wa s delivered b y Moshe Vardi , Noa h Hardin g Pro -fessor an d chai r o f Compute r Scienc e a t Ric e University . Prof . Vard i i s one of the primar y developer s o f th e automat a theoreti c framewor k o n whic h SPI N i s founded [17] . Th e viewgraphs o f the keynote presentatio n ar e available a s an on-line documen t a t http : / / n e t l i b. b e l l - l a b s . com/netlib/spin/ws96/vardi .ps. One othe r presentatio n coul d no t be include d i n thes e proceeding s a s a ful l pa -per: wor k reporte d b y Prank Schneide r an d Jack Callaha n fro m NASA' s Softwar e Verification an d Validation Facility , o n the verification wit h SPI N o f aspect s o f a distributed syste m used in one of NASA's upcoming space missions. W e have added a pape r t o thi s volum e tha t wa s also distribute d a s part o f the participants pro -ceedings t o the SPI N workshop : a n outline fo r an operational semantic s definitio n of SPIN' S specificatio n languag e PROMELA .
Four too l demo s wer e presente d a t the workshop:
1. Th e W H E E L environmen t fo r SPIN : a n extension targeted to the specificatio n and verification o f feature interactio n problems (b y F.J. Lin , Bellcore, USA).
2. A real-time extensio n o f SPI N (b y Stavros Tripakis , Verimag , France) . 3. A PROMEL A t o C translato r (b y Siegfried Loefner , Hewlett-Packard , Eng -
land) .
PREFACE XI
4. RSPIN , a n extension fo r the specification an d verificatio n o f reactive system s (by Pran k Olsen , Centr e Nationa l d'Etude s de s Telecommunications , Issy -Les-Moulineaux, Prance) .
The number o f places where the SPI N system is installed an d used now number s in th e thousands . Th e progra m o f thi s year' s worksho p reflect s th e natur e o f th e work i n forma l verificatio n tha t i s triggere d o r inspire d b y thi s system . I n fou r broad categories , ther e are :
• Theoretica l an d foundationa l studies . • Empirica l studie s of the relative effectiveness o f different type s of search an d
storage algorithms . • Significan t practica l applications . • Extension s an d revision s o f the basi c SPI N code .
Several o f the project s i n eac h categor y wer e represented a t th e workshop , bu t perhaps mor e encouragin g stil l i s tha t man y mor e o f thes e SPI N project s ar e i n progress a t academi c an d industria l researc h lab s aroun d th e world . Th e goa l o f the SPI N workshop s is to create an opportunity fo r those who work with this syste m to meet , shar e experiences , lear n abou t eac h other s work , an d exchang e ideas . A s witnessed b y thes e proceedings , thi s year' s worksho p full y me t tha t goal .
Acknowledgements. Th e 199 6 worksho p wa s sponsore d b y Bel l Labs , an d by DIM ACS, the Nationa l Scienc e Foundation's Scienc e and Technolog y Cente r fo r Discrete Mathematic s an d Theoretica l Compute r Science , a s par t o f thei r Specia l Year Progra m o n Logic and Algorithms. DI M ACS provide d bot h logisti c suppor t at th e worksho p locatio n a t Rutger s Universit y i n Ne w Brunswick , Ne w Jersey , and provide d financia l suppor t fo r invite d speaker s an d graduat e students . W e are especiall y gratefu l t o Pa t Pravato , Sara h Donnelly , Wangla i Li , an d Hangbia o Shi fo r thei r courteou s an d efficien t hel p wit h th e preparations , ofte n unde r tim e pressure o f preparations fo r othe r specia l yea r events .
Jean-Charles Gregoire, Gerard J. Holzmann, Down Peled.
References
[1] E . M . Clarke an d E . A . Emerson , Characterizin g propertie s o f parallel program s a s fixpoints, Proc. 1th Int. Coll. on Automata, Languages and Programming, LNC S 85 , 1981.
[2] C . Courcoubetis , M . Vardi , P . Wolper , M , Yannakakis , Memory-efficien t algorithm s fo r th e verification o f tempora l properties , Forma l method s i n syste m desig n 1 (1992 ) 275-288 .
[3] R . Gerth , D . Peled , M . Vardi , P . Wolper , Simpl e on-the-fl y automati c verificatio n o f linea r temporal logic , Proc. 15th Int. Conf. on Protocol Specification, Testing, and Verification, INWG/IFIP, Eds . P . Dembinsky , an d M . Sredniawa , Warsa w Poland , 1995 .
[4] J . Hajek , Automaticall y verifie d dat a transfe r protocols , Proc. J^th ICCC, 1978 , Kyoto , pp . 749-756.
[5] G .J . Holzmann , P A AT - a Protocol Specification Analyzer, Bel l Laboratorie s Technica l Mem -orandum, TM81-11271-5 , Ma y 1981 .
[6] G . J . Holzmann , R . A . Beukers , Th e PANDOR A protoco l developmen t system , Proc. 3rd Int. Conf on Protocol Specification, Testing, and Verification, INWG/IFIP , Eds . H . Rudi n and C . West , pp . 357-369 , Nort h Hollan d Publ . Co. , June , 1983 .
[7] G . J . Holzmann , Tracin g protocols , AT&T Techn. Journal, Vo l 64 , No . 10 , Dec . 1985 . [8] G . J . Holzmann , A n improve d reachabilit y analysi s technique , Software Practice and Expe-
rience, Vol . 18 , No . 2 , pp . 137-161 , Feb . 1988 .
xii J . GREGOIRE , G . J . HOLZMANN , AN D D. PELE D
[9] G . J . Holzmann , J . Patti , Validatin g SD L specifications: A n Experiment , Proc. 9th Int. Conf on Protocol Specification, Testing, and Verification, INWG/IFIP , Ed . C. Vissers and E. Brinksma , Twente , Neth. , June , 1989.
[10] G . J . Holzmann , Design and Validation of Computer Protocols, Prentic e Hall , 1991. [11] G . J . Holzman n an d D. Peled, A n improvement i n forma l verification , Proc. 1th Int. Conf.
on Formal Description Techniques, Eds . D. Hogrefe an d S. Leue, FORTE94 , Berne , Switzer -land. Octobe r 1994.
[12] R . P . Kurshan , Compute r Aide d Verificatio n o f Coordinating Processes , Princeto n Univer -sity Press , 1994.
[13] D . A. Peled , Combinin g partia l orde r reduction s wit h on-the-fl y mode l checking , Proc. 6th Int. Conf. on Computer Aided Verification, CAV94 , Stanford , Ca. , June 1994.
[14] A . Pnueli, Th e temporal logi c of programs, Proc. 18th IEEE Symposium on Foundations of Computer Science, Providence , R.I. , pp. 46-57, 1977.
[15] J . P . Queille , he systeme Cesar: description, specification et analyse des applications reparties, Ph.D . Thesis, Jun e 1982 , Computer Scienc e Dept. , Univ . Grenoble , France .
[16] K.L . McMillan , Symbolic model checking: an approach to the state explosion problem, Kluwer Academi c Publ. , 1993.
[17] M.Y . Vardi an d P . Wolper , A n automata-theoreti c approac h t o automati c progra m verifi -cation, Proc. First Symposium on Logic in Computer Science, Jun e 1986 , Cambridge, pp . 322-331.
[18] C . H . West , Genera l techniqu e fo r communication s protoco l validation , IBM Journal of Research and Development, Vo l 22, No. 4, p. 393, 1978 .
