SPIN Verification System

The Model Checker SPIN By Gerard J. Holzmann

Comp 587 – 12/2/09Eduardo Borjas – Omer Azmon

☐☐

Overview

Problem

Solution

Applications

Structure

Example

Live Demo

Conclusion

Q & A

☐☐

Problem

☐☐

Problem: Today’s Problem With Design“Whether we like it or not, we often design software either by trial and error or by duplicating and modifying a piece of code that does something similar to what we want. This works fine for small applications, but fails miserably for large design projects or for critical code.”

-Gerard J. Holzmann

☐☐

Problem: Circular Blocking

☐☐

Problem: Deadly Embrace

Get B

Get A

Rel A

Rel B

Rel B

Rel A

Get A

Get B

*Rel = Release ☐☐

Problem: Design Flaws

Deadlock

LivelockStarvation

OverspecificationUnused code

UnderspecificationNot all states are expected

Assumptions about SpeedLogic vs. real world

Problem: Distributed Process Software

TestingComplexity

Scale

ImpracticalEquipment availability

Regression testing

TimeTiming in asynchronous processes

Testing all instances

Criticality

☐☐

Solution

☐☐

Solution: SPIN“SPIN is an efficient verification system for models of distributed software systems”

SPIN Focuses on Process Interactions

Focus on Proving CorrectnessThe act of proving the correctness of an algorithm using formal methods of mathematics

☐☐

Solution: SPINSPIN Aims To Provide the Following:1) An intuitive, program-like notation for

specifying design choices unambiguously, without implementation detail.

2) A powerful, concise notation for expressing general correctness requirements.

3) A methodology for establishing the logical consistency of the design choices from 1) and the matching correctness requirements from 2).

☐☐

Solution: SPINOther Facts

SPIN Was Awarded the System Software Award

by the ACM (2002)Other award winners include UNIX, TeX, Smalltalk, TCP/IP, and Tcl/Tk

Tools Can Transfer Java or C Programs Into SPIN Models

Used By NASA, Bell Labs, and Lucent

Currently Taught at Caltech (CS 118, 119a-b, and 116)

☐☐

Applications

☐☐

ApplicationsTraditional

Theoretical Studies

Empirical Studies (Search and Storage)

PracticalFlood Control (Computer Management Group)

Mission Critical Software (NASA)

Telephone Exchange (Bell Labs & Lucent)

Packet Switching

Railway Safety (Ansaldo and IRST)

Client Server Applications☐☐

Applications

PracticalProcess Scheduling

Leader Election

Flow Control

Multithreaded Programs

☐☐

Structure

☐☐

Structure: SPINSPIN is Broken Into Two Parts:

Design Specification (PROMELA)

Correctness Claims (Linear Temporal Logic)

SPIN = Simple Promela INterpreter

XSPIN Front-End

PROMELA Parser

LTL Parser &

Translator

1. Syntax Error

Reports

2. Interactive Simulation

3. Verifier

Generator

Optimized Model Checker

Executable On-The-

Fly Verifier

Counter-Examples

☐☐

Structure: PROMELA

Specification Language (Design)

PROtocol MEta Language

One or More User-Defined Process Templates

proctype definition

Each template defines the behavior of a process

A running process can instantiate another process

☐☐

Structure: PROMELA

active proctype main()

{

printf("hello world\n")

}

☐☐

Structure: Linear Temporal Logic

LTL Is An Extension of Propositional and Predicate Logic to Temporal Claims

SPIN Verification Relies on LTL to Make Claims About Models

Just like Symbolic Logic, LTL Can Be Isomophically Converted Into Finite State Diagrams Using Büchi Formulae

Structure: LTL Formulae(Frequently Used)

Formula Pronounced Type/Template

☐p always p invariance

♢p eventually p guarantee

p ♢q p implies eventually q response

p q U r p implies q until r precedence

☐♢p always eventually p recurrence (progress)

♢☐p eventually always p stability (non-progress)

♢p ♢q eventually p implies eventually q correlation

Example

Example: Peterson’s Mutual Exclusion (Critical Section)

Algorithm

So S5

S1

flagme = 1

S2

turn= me flagother == 0 || turn == other

S3

flagother != 0 && turn == me

flagme = 0

S4Critical Section

Example: Peterson’s Mutual Exclusion (Critical Section)

Algorithmbool turn, flag[2];

active [2] proctype user()

{

again:

flag[_pid] = 1;

turn = _pid;

(flag[1 - _pid] == 0 || turn == 1 -_pid);

/* Critical Section */

flag[_pid] = 0;

goto again;

}

So

S5

S1

flagme = 1

S2

turn= me flagother == 0 || turn == other

S3

flagother != 0 && turn == me

flagme = 0

S4Critical

Section

Live Demo

Example: Peterson’s Mutual Exclusion (Critical Section) Algorithm

bool turn, flag[2];

byte ncrit;

active [2] proctype user()

{

assert(_pid == 0 || __pid == 1);

again:

flag[_pid] = 1;

turn = _pid;

(flag[1 - _pid] == 0 || turn == 1 - _pid);

ncrit++;

assert(ncrit == 1); /* critical section */

ncrit--;

flag[_pid] = 0;

goto again;

}

Conclusion

ConclusionProblem

For complex problems, did the design actually cover all of our bases?How can I test distributed software process models efficiently and cost-effectively?

SolutionSPIN formally proves temporal models mathematicallyEasy to use

InformationHolzmann, G. J. (2009). Retrieved from Spin - Formal Verification: http://www.spinroot.com

Holzmann, G. J. (1997). The Model Checker SPIN. IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 23 (5).

Holzmann, G. J. (2006). The Spin Model Checker. Troy, NY: Addison Wesley.

Cimatti, A., Giunchiglia, F., et al. Model Checking Safety Critical Software with SPIN: an Application to a Railway Interlocking System.

☐☐

Questions & AnswersComp 587 – 12/2/09

Eduardo Borjas – Omer Azmon

Thank You!☐☐