Model Checking with SPIN LTL Properties

About This Presentation

Title:

Model Checking with SPIN LTL Properties

Description:

express temporal properties you expect from it. verify the model. ... Problem: we defined the meaning of temporal properties in terms of all computations of P. ... – PowerPoint PPT presentation

Number of Views:289

Avg rating:3.0/5.0

Slides: 64

Provided by: wish

Category:

more less

Transcript and Presenter's Notes

Title: Model Checking with SPIN LTL Properties

1
Model Checking with SPINLTL Properties

by
Wishnu Prasetya wishnu_at_cs.uu.nl
www.cs.uu.nl/docs/vakken/pv

2
Overview

This pack
Briefly about SPIN
Abstract model of programs
Temporal properties
Verification (via model checking) algorithm
Concurency
Further ahead
More about SPIN

3
SPIN

Allows you to
model a concurrent program
express temporal properties you expect from it
verify the model. Fully automatic!
Concurrency is a hot area again, with the
multi-cores coming...
Or a bit more innovative applications
AnWeb a system for automatic support to web
application verification, Di Sciascio et al, in
14th conf. on Soft. Eng. and knowledge eng.,
2002.
Privacy and Contextual Integrity Framework and
Applications, Barth et al, in IEEE Symposium on
Security and Privacy, 2006.

4
Some SPIN examples
byte x 1
active proctype P2 () x--
active proctype P1 () x assert
(x2)
5
Some SPIN examples
chan c 0 of byte
active proctype S () byte x do
x c!x od
active proctype R () byte y do
c?y od
E.g. you may want to verify whether this system
wont deadlock. But how to express this!?
6
Frontend XSpin
view edit () model
Messages sequence viewer (from simulator)
specification editor
7
Abstract Model

Well temporarily back off from concrete SPIN
level, and look instead at a more abstract view
on the problem.
We will model a program as a finite automaton.
We are more interested in run-time properties
(as opposed to e.g. Hoare triples)
Whenever R receives, the value it receives is
never 0.
SR wont deadlock.
Called temporal properties

8
Reference

An automata-theoretic approach to automatic
program verification, by Vardi and Wolper. 1st
IEEE Symp. on Logic in Comp. Science, 1986.
On nested depth-first search, by Holzmann et al,
1996
Linked from PV site.
Acknowledgement some parts of the slides are
taken from Luciano Serafinis course on Logics
for Knowledge Representation and Reasoning,
Trentino, Italy.

9
Kripke Structure

A finite automaton, represented by a tuple ( S,
s0, R, V )
S finite set of states
s0 initial state
R S ? 2S transition relation R s N ? N
is the set of possible next state from s
V S ? Prop
No explicit terminal states. States with no
successor can be thought as terminal.

Non-deternministic
10
Example
Represented by (S, s0, R, V) where S
0,1 s0 0 R such that R 0
0,1 R 1 1 V ...
0 x -1
1 x 1
A computation (execution) a sequence u of
states, such that u0 s0, and ui1 ? R ui.
Basically, a path through the automaton.
11
State?

Actual state of a program is too verbose (we
dont want to care about e.g. content of various
registers and stacks).
State from programmers view the values of the
programs variables at a given point.
How the actual SPIN implementation operates.
But abstractly, we may not be interested in all
variables...
State, very abstractly just an integer. We can
still distinguish one state from another, but we
lose all info about program variables.
Too abstract.

12
Abstract state

For now lets opt for an abstract notion of states
in our automata, e.g. integer.
But we provide a set Prop of relevant
propositions we want to observe on our states.
The function V specifies how to interpret the
propositions on each state V s p0, p1, ...

Also called atomic propositions.
The set of propositions which are true on the
state s.
13
Example
If we take Prop x-1, x1 V 0
x-1 V 1 x1
0
x -1
But we can also take Prop isOdd x, xgt0
V 0 isOdd x V 1 isOdd x, xgt0
1
x 1
14
Computation / Execution

Well tweak our notion of computation a bit.
Computation is an infinite sequence ? just to
simplify the formal treatment later.
Each computation induces an abstract
computation, which is a sequence of subsets of
Prop which are true on the corresponding
states.So, if u is a computation, the abstract
computation ? it induces is

Hey, an abstract computation is an infinite
sentence over 2Prop.
V(u0) , V(u1) , V(u2) , ...
15
Example
0
x -1
Prop isOdd x, xgt0 V 0 isOdd x
V 1 isOdd x, xgt0
1
x 1
Computation 0, 0, 1, 1, ...
Induce abs-comp isOdd x , isOdd x, isOdd
x, xgt0, isOdd x, xgt0 , ...
16
Properties

Recall that we want to express run-time
properties ? well use temporal properties from
Linear Temporal Logic (LTL)
Originally designed by philosophers to study the
way that time is used in natural language
arguments ?Based on a number of operators to
express relation over time
Brought to Computer Science by Pnueli, 1977.

X next
always
ltgt eventually
U until

17
Informal meaning
f // always f ltgt f // eventually
f X f // next f f U r //
until f R r // releases
18
Example
chan c 0 of byte
active proctype S () byte x do
x c!x od
active proctype R () byte y do
c?y od
ltgt x0 indirectly implies absence of deadlock.
(x0 ? X(x1)) Not valid.
19
Very expressive!

( p ? ltgtq ) // whenever p
holds, eventually q will hold
p U ( q U r )
ltgt p //
eventually stabilizing to p

20
Now formally...

Syntax
? p // atomic proposition from
Prop
?? ? /\ ? X ?
? U ?
Derived operators
? \/ ? ?(?? /\ ??)
? ? ? ?? \/ ?
Interpreted over computations.

21
Defining the meaning of temporal formulas

First well define the meaning wrt to a single
abstract computation
?,i ? ? holds on the sufix ?i..?
? ? ? holds on the entire ? ? ?
?,0 ?
If P is a Kripke structure,P ? ? holds
on all computations of PP ? (??
? is a comp. of P ? ? )

22
Meaning

Let ? be an (abstract) computation.
?,i p p ? ?(i) // p ? Prop
?,i ?? ? (?,i ?)
?,i ?/\? ?,i ? and ?,i
?
?,i X? ?,i1 ?
?,i ? U ? there is a j?i such that ?,i
?, and for all h, i?hltj, ?,i
?.

23
Example
isOdd x
0
isOdd x , xgt0
1
Consider abs-comp ? isOdd x , isOdd x,
isOdd x, xgt0, isOdd x, xgt0 , ...
? isOdd x U xgt0
However, this is not a valid property of the
program.
24
Derived temporal operators

ltgt? true U ?
? ?ltgt??
? unless ? ? \/ (? U ?)

Also known as weak untill ? W ? Almost
similar to release ? R ?
25
Past operators

previous?,i Y? igt0 and ?,i-1 ?
since ?,i ? S ? there is a j, 0?j?i
and ?,j ?, and for all k, jltk?j, ?,k
?.
Unfortunately, not supported by SPIN.

26
Ok, so how can I verify P ? ?

Prove it by hand? Expensive.
Use computer to check all possibilities.
Problem we defined the meaning of temporal
properties in terms of all computations of P.
Even a small program may have infinitely many
computations.
Even checking if ? holds on a single computation
is problematical, because the computation is
infinite.

27
Borrowing ideas from language theory

Let P be a program, represented by a Kripke
structure.
Recall that a computation of P induces an
abstract computation, which can be seen as an
infinite sentence over 2Prop ?.
View P as a sentences generator. Define

L(P) ? ? is an abs-comp of P
the sentences over 2Prop generated by P
28
Representing ? to an automaton

Let ? be the temporal formula we want to verify.
Suppose we can find an automaton A? that
accepts exactly those infinite sentences over
2Prop where ? holds.
Define

L(A?) the set of sentences accepted by A?
So L(A?) ? ? ?
29
Re-express the problem as a language problem

Well, P ? iff
There is no ??L(P) which will violate ?.
In other words, there is no ??L(P) that will be
accepted by L(A??).
So

P ? iff L(P) ? L(A??) ?
30
Buchi Automaton

A Buchi automaton is represented by a tuple ( ?
, Q , ? , I , F )
Q set of states
? set of labels of the transitions
? Q???2S transition relation
I ? Q set of initial states
F ? Q set of acceptance states

31
Example
Represented by (?,Q,?,I,F) where ? a,
b Q q1, q2 I q1 F
q1 ? (q1,a) q1 ? (q1,b) q2
? (q2,a) q1 ? (q2,b) q2
32
Automaton for accepting sentences

A (finite) sentence ? is accepted by A if it
induces a path over A, starting in an initial
state, ending in a final state.E.g. in the A
on the right, aba and aa is accepted bb
is not accepted.
But this is for finite sentences, we need a bit
different accepting criterion for infinite
sentences.

33
Acceptance criterion for Buchi

Let A (?,Q,?,I,F) be a Buchi automaton.
A sentence is a sequence over ?. // labels of
arrows
Were interested in infinite sentences.
Let ? be an infinite sequence. A run over ? is a
sequence ? of states, such that ?0?I and
?i1 ? ?(?i , ?i )

A run ? is accepting if there is an accepting
state f?F that occurs infinitely many often in ?.
34
Acceptance criterion for Buchi

An (infinite) sentence ? is accepted by A if it
has an accepting run over it.
The language of A is just the set of sentences
accepted by it L(A) ? ? is accepted
by A

35
Example
A

abab ? not an infinite sentence
ababab ? accepted
abbbb ? not accepted!

36
Expressing temporal formulas as Buchis
The key idea is to use 2Prop as the ?. So, each
arrow-label is a subset of Prop. Note that such a
Buchi will accept infinite sentences over 2Prop
! Example ?Xp ( X?p)
Indirectly saying that p is false.
Well take Prop p
?

p
We can drop this, since we only need to (fully)
cover accepted sentences.

37
Adding some helpful notations
?Xp, using Prop p
?

So we have 4 subsets.
Stands for all subsets of Prop that do not
contain p thus implying p does not hold.
?Xp, using Prop p,q
p?
?

Stands for all subsets of Prop that contain p
thus implying p holds.
q
p?
38
Until
Formula p U q
q?

p?
Formula p U ?Xq
q?

p?
39
Until
Formula ?(p U q)
q?
p?

else

You can drop the else part any sentence that
follow it are not accepted anyway.
The automaton is incorrect ? ? exercise.

?(? U ?) ?? unless ?? /\ ?? ?(?
unless ?) ?? U ?? /\ ??
40
Always and Eventually
p
p?
ltgtp
p?

ltgtp
p?
p?

41
Systematic construction

How about formulas like (Xp) U q (p U q) U
rTheir Buchi is not trivial to construct.
Still, any LTL formula can be converted to a
Buchi. SPIN implements an automated conversion
algorithm unfortunately it is quite complicated.

42
Check list
P ? iff L(P) ? L(A??) ?

How to construct A?? ?? ? Buchi ?
We still have a mismatch, because P is a Kripke
structure!
Fortunately, we can easily convert it to a Buchi.
We still have to construct the intersection.
We still to figure out a way to check emptiness.

43
Converting Kripke to Buchi

Let ( S, s0, R, V ) be a Kripke structure, we
convert it to this Buchi (2Prop, S , s0 , ?
, S ) t ? ? (s,Z) iff t ? R s and Z
V s

Entire S as the accepting states so that any
infinite computation is accepted by this Buchi.
44
Example
isOdd x
0
isOdd x , xgt0
1
isOdd x
0
isOdd x
1
isOdd x, xgt0
45
Computing intersection

Rather than directly checking L(AP) ? L(A??)
?We check L(AP ? A??) ?

The Buchi version of Kripke P ?
So we need to figure out how to construct this
intersection of two Buchis.Computation over this
intersection is also called a lock-step
computation.
46
Constructing Intersection, example
p isOdd xq xgt0
AP
p,q
p
p
Ap ? A?ltgtq
A?ltgtq
p
q?
47
Intersection, formally

Let M and A be Buchis over the same alphabet ?
furthermore all states of M are accepting M
(?, Q1, ?1, I, Q1) A (?, Q2, ?2, J, G)
M ? A (?, Q1?Q2, ? , I?J , Q1?G ) (s,t)
? ? ((s,t), a) iff s ? ?1 s and t ? ?2
t

48
Verification

So it comes down to checking L(AP ? A??)
?
Sufficient to have an algorithm to check if L(C)
?, for some Buchi automaton C!
So, it comes down to a cycle finding in a finite
graph! Can be done in finite time.

L(C) ? ? iff there is a finite path from the
initial state of C, leading to an accepting state
f , followed by a cycle back to f
Moreover, when such a pathcycle is found, this
is also your counter example!
49
Cycle detection

Let C AP ? A?? , we want to check if C is
non-empty.
Approach 1
Calculate all strongly connected component (SCCs)
of C, each has at least one accepting state.
Check if there is an SCC reachable from Cs
initial state.
Requires full graph of P to start (thus full
state space).

50
Cycle detection

Approach 2 using (double) depth-first
state space can be constructed on-the-fly
is used by SPIN

if assertionError(s) then report
dfs(s) add s to Statespace for
(t ? suc(s) ) if ? t ? Statespace
then dfs(t)
(?a t ? ?(s,a))
This is just a base algorithm. It wont find
cycles but it can generate Cs state space. We
can use it to check assertions.
51
Example
0
1
2
3
Simulating DFS
0
Stack is used to maintain the current path
leading to the current node so that when error
is found, you can report this execution path.
1
2
3
52
SPINs Double DFS
dfs(s) if error(s) then report add
(s,0) to Statespace for (t ? suc(s) )
if ? (t,0) ? Statespace then dfs(t) if
isAccepting s then seed s ndfs(s)
ndfs(s) // the nested dfs add (s,1) to
Statespace for (t ? suc(s) ) if
? (t,1) ? Statespace then
ndfs(t) else if sseed
then report cycle
Or if s?stack of the outer dfs
53
Example
0
When 2nd dsf finds a node in the stack of outer
dfs, this implies an accepting cycle.
1
2
3
Simulating nested DFS
0
1
2
3
Finding a reachable accepting cycle! Error.
54
On-the-fly generation

In SPIN we dont actually have AP ? A?? in the
memory
This would imply that we already have generated
the full state space ? we can do better.
We have
P , operating on concrete states (instead of a
Kripke structure)
The automaton A??, in a slightly different
form, but quite close to Buchi.
We wont actually construct the automaton have
AP ? A?? .

55
On-the-fly generation
This generates the state space on the fly.
dfs(s) if error(s) then report add
(s,0) to Statespace for (t ? suc(s) )
if ? (t,0) ? Statespace then dfs(t) if
isAccepting s then seed s ndfs(s)
s, and t are states of combined automaton AP ?
A?? so they are pairs s (s1, s2) and
t (t1, t2) Replace the check t ? suc(s)
with (?? ? is an action of P, enabled in
s1 t1? ? s1) and (?a (?f?a f
holds in s1) and (?f?P/a ?f hold in s1) t2 ?
A?? t1)
56
Concurrency

Consider
How does a concurrent execution of P and Q
proceed??
Depend on the underlying runtime system
We will assume an interleaving execution model
More abstract ? simplify formal treatment
Put a constraint on the runtime system

x is initially 0
P x x

Q print x
57
Interleaving model

A system consists of a set of interacting and
concurrent processes.
For simplicity, each process is sequential (no
nested concurrency).
Abstractly we can think each process sequentially
execute actions, and each action is assumed to
be terminating and atomic.
Under this view, concurrent executions (of the
processes) can be modeled by sequential but
interleaving executions of the underlying actions.

58
Interleaving model
x
x
P
print x
Q
P Q
59
Atomicity

What statement can be executed atomically depends
on the runtime system
x usually no problem
xgt0 ? yx ok, if we can lock both x and y
0?S ? foundtrue not possible if S cant be
locked may not be preferred, even if S
can be locked.

60
Incorporating interleaved execution in SPIN
dfs(s) add (s,0) to Statespace
for (t ? suc(s) ) if ? (t,0) ? Statespace
then dfs(t)
Now quantify over all actions of all processes,
which are enabled in s1. States like s1 are now
system states.
Represent s and t as pairs s (s1, s2) and
t (t1, t2) Replace the check t ? suc(s)
with (?? ? is an action of P, enabled in
s1 t1? ? s1) and (?a (?f?a f
holds in s1) and (?f?P/a ?f hold in s1) t2 ?
A?? t1)
61
Fairness

Consider this concurrent system Is it
possible that print x is ignored forever?
The runtime system determines which fairness
assumption is reasonable
No fairness
Weak fairness an action cannot be forever
enabled and forever ignored.
Strong fairness an action cannot be infinitely
often enabled and forever ignored.
There are other variations
A fair execution an execution respecting the
assumed fairness condition.

P do x od

Q xgt10 ? print x
62
Fairness in SPIN
Is it possible that P is continually ignored?
SPINs default is yes. However we can impose
process level weak fairnessWhen a process is
continually enabled (it has at least one runnable
action), it will eventually be executed. More
elaborate fairness assumptions can be encoded an
LTL formulas.
active proctype P () do (xlt3) -gt
x (x3) -gt Lab0 x0 (xgt0)
-gt Lab1 yx od active proctype Q ()