Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab) Richard M. Murray Nok Wongpiromsarn Ufuk Topcu California Institute of Technology EECI 19 Mar 2013 Outline The Spin Model • Spin model checker: modeling Checker concurrent systems and descr- Gerard J. Holzmann ibing system requirements in Addison-Wesley, 2003 Promela http://spinroot.com • Model-checking with Spin • Logic synthesis with Spin The process flow of model checking Efficient model checking tools automate the process: SPIN, nuSMV, TLC,... EECI, Mar 2013 Richard M. Murray, Caltech CDS 2 Spin Verification Models System design (behavior specification) process 1 Promela (Process Meta Language) is a non- g1 TS 1 • ; { } deterministic, guarded command language for s0: red s1: green specifying possible system behavior of a distributed system in Spin There are 3 types of objects in Spin verification • process 2 model TS - asynchronous processes g2 2 ; { } - global and local data objects s0: red s1: green - message channels System requirements (correctness claims) default properties Φ = g1 g2 • ⇤⌃ ^ ⇤⌃ absence of system deadlock - true - absence of unreachable code q0 A g g • assertions • fairness ¬ 2 ¬ 1 end-state labels never claim g2 g • • ¬ q1 q2 ¬ 1 • acceptance • LTL formulas • progress • trace assertions EECI, Mar 2013 Richard M. Murray, Caltech CDS 3 Running Spin model.pml system pan.c design -a (model gcc Spin checking compiler system code) requirements -i -t model.trail pan random interactive guided negative simulation simulation simulation (counter- result (executable example) verifier) Typical sequence of commands correctness proof $ spin -u100 model!# non-verbose simulation for 100 steps $ spin -a model!! # generate C code for analysis (pan.c) $ gcc -o pan pan.c!# generate executable verifier from pan.c $ ./pan -a -N P1!# perform verification of specification P1 $ spin -t -p model!# show error trail Note: spin -- and ./pan -- list available command-line and un-time options, resp. EECI, Mar 2013 Richard M. Murray, Caltech CDS 4 Account Setup Lab computer login How to edit and use files • Username: LAB22-0N\eeci • Edit files using ‘Notepad’ in the - NN = 1, 2, 3, ... dropbox folder on Windows • Password: P@ssw0rd - Remember to save after you make changes Connecting to Amazon - Wait a few seconds for sync’ing • Run “Putty” from the desktop • Run commands on Amazon • Double click on EECI saved session • Look at results on Amazon • Username: eeci13 • Password: pw4belgrade Using Amazon from your own laptop • See Ufuk or Richard to get IP address Finding the right folder on Amazon for appropriate Amazon instance • cd groupN/spin • Install Dropbox and then see Richard • ls!!!# list files or Ufuk to get sharing set up Open Dropbox folder for your group Installing Spin on your laptop • Double click on Dropbox icon (should • Install Spin from spinroot.com be on desktop) (requires local C compiler) • Open ‘groupN’ folder to see the same • Download sample files from course files web page (Computer Session 1) EECI, Mar 2013 Richard M. Murray, Caltech CDS 5 Example 1: traffic lights (property verified) System TS: composition of two traffic lights Specification P 1 : and a controller “The light are never green g1 simultaneously.” c2 q2,s1,c2 { } [](!(g1 && g2)) q1 s1 ↵ ↵ ↵ ↵ ↵ ↵ β β c1 q1,s1,c1 SPIN code: q s2 β β β β P1 2 ¬ g1 g2 A c3 q1,s2,c3 traffic traffic g2 { } { } controller light 1 light 2 = { } Property verified: TS P1 ltl P1 { [] (! (g1 && g2)) } spin -a lights_simple.pml lights_simple.pml ltl P2 { [] <> g1 } gcc -o pan pan.c ltl P3 { ./pan -a -N P1 lights_simple.pml (always (!(g1&&g2))) && ./pan -a -N P2 lights_simple.pml (always eventually g1) spin -t -p lights_simple.pml } EECI, Mar 2013 Richard M. Murray,6 Caltech CDS Promela: Process Modeling Language bit g1, g2;!!!/* light status */ Declarations bit alpha1, alpha2, beta1, beta2; Declare global variables (+ initialize) int c = 1;!!!/* control state */ • active proctype TL1() { • Types: bit, int, char, etc + arrays do :: alpha1 -> g1 = 1 Processes :: beta1 -> g1 = 0 Each process runs independently od • } • ‘active’ => process starts immediately active proctype TL2() { - Otherwise use ‘run’ command loop2: Process = sequence of statements alpha2 -> g2 = 1 • beta2 -> g2 = 0 • Statements = guard or assignment goto loop2 } Control flow active proctype control() { • ‘do’ loops: non-deterministic execution do ‘goto’ statements: jump to location :: c == 1 -> alpha1=1; beta1=0; c = 2; • :: c == 2 -> alpha1=0; beta1=1; c = 3; • guarded commands: ‘guard -> rule’ :: c == 3 -> alpha2=1; beta2=0; c = 4; :: c == 4 -> alpha2=0; beta2=1; c = 1; Specifications od LTL statement to be checked } • - These generate ‘never’ claims ltl P1 { [] <> g1 } internally to spin (will see later) ltl P2 { [] ! (g1 && g2) } EECI, Mar 2013 Richard M. Murray, Caltech CDS 7 Promela Objects: Processes • A keyword proctype is used to declare process behavior • 2 ways to instantiate a process - Add the prefix active to a proctype declaration. The process will be instantiated in the initial system state. - Use run operator to instantiate a process in any reachable system state # of processes to be instantiated in the initial system state proctype you run(byte x) active [2] proctype main() { printf("x = %d n", x) \ { prinf("hello world n") } \ init } { run you run(0); keyword for initial process run you run(1) declaration and instantiation } Extra process init needs to be created EECI, Mar 2013 Richard M. Murray, Caltech CDS 8 Promela Objects: Data Objects • 2 levels of scope: global and process local • No intermediate levels of scope • The default initial value of all data objects is zero • All objects must be declared before they can first be referenced • User-defined type can be declared using keyword typedef Type Typical Range Sample Declaration bit 0,1 bit turn = 1 bool false, true bool flag = true all elements byte 0 ...255 byte a[12] initialized to 0 chan 1 ...255 chan m mtype 1 ...255 mtype n pid 0 ...255 pid p 15 15 all elements short 2 ...2 1 short b[4] = 89 initialized to 89 int −231 ...231 − 1 int cnt = 67 unsigned 0−...2n 1 − unsigned w: 3=5 − unsigned stored in 3 bits (range 0...7) EECI, Mar 2013 Richard M. Murray, Caltech CDS 9 Basic Statements • Assignment valid assignment: if the right-hand side yields a value outside - c++, c--, c = c+1, c = c-1 the range of c, truncation can result - invalid assignment: ++c, --c • Expressions - must be side effect free - the only exception is the run operator, which can have a side effect • Print: printf("x = %d n", x) \ • Assertion:assert(x+y == z), assert(x <= y) - always executable and has no effect on the state of the system when executed - can be used to check safety property: Spin reports a error if the expression can evaluate to zero (false) int n; active proctype invariant() The assertion statement can be executed at any time. This can be used to check a { system invariant condition: it should hold no assert(n <= 3) matter when the assertion is checked. } send • message passing between processes (later, if time) • receive } EECI, Mar 2013 Richard M. Murray, Caltech CDS 10 Rules for Executability A statement in a Spin model is either executable or blocked • A statement is executable iff it evaluates to true or non-zero integer value 2<3 is always executable x < 27 executable i↵ x<27 3+x executable i↵ x =3 6 • print statements and assignments are always unconditionally executable • If a process reaches a point where there is no executable statements left to execute, it simply blocks while (a != b) a == b; block until a==b { skip; do nothing while waiting for a==b } do L: if :: (a == b) -> break :: (a == b) -> skip :: else -> skip :: else -> goto L od fi EECI, Mar 2013 Richard M. Murray, Caltech CDS 11 Nondeterminism 2 levels of nondeterminism • System level: processes execute concurrently and asynchronously - Process scheduling decisions are non-deterministic - Statement executions from different processes are arbitrarily interleaved in time - Basic statements execute atomically • Process level: local choice within processes can also be non-deterministic byte x = 2, y = 2; active proctype A() do { :: x = 3-x :: y = 3-y od At any point in an execution, any of these active} proctype B() statements can be executed do { :: x = 3-y :: y = 3-x od } EECI, Mar 2013 Richard M. Murray, Caltech CDS 12 Control Flow • Semicolons, gotos and labels swap the values of a and b • Atomic sequences: atomic ... atomic d step { } { { - Define an indivisible sequence of actions tmp = b; tmp = b; - No other process can execute statements from the moment b = a; b = a; that the first statement of this sequence begins to execute a = tmp a = tmp until the last one has completed } } • Deterministic steps: d step ... { } - Similar to atomic sequence but more restrictive, e.g., no nondeterminism, goto jumps, or unexecutable statements if are allowed :: (n % 2 != 0) -> n = 1 the else guard is executable • Nondeterministic selection: iff none of the other guards :: (n >= 0) -> n = n-2 if is executable. :: (n % 3 == 0) -> n = 3 :: guard1 -> stmnt11; stmnt12; ... :: else /* -> skip */ :: guard2 -> stmnt21; stmnt22; ... fi :: ... without the else clause, the if- fi statement would block until • Nondeterministic repetition: other guards becomes true. do :: guard1 -> stmnt11; stmnt12; ... do :: guard2 -> stmnt21; stmnt22; ... :: x++ :: ... :: x-- do :: break transfers control to the end of • Escape sequences: P unless E the loop { } { } od • Inline definitions: inline ... { } EECI, Mar 2013 Richard M. Murray, Caltech CDS 13 Nondeterministic Selection and Repetition if do :: guard1 -> stmnt11; stmnt12; ... :: guard1 -> stmnt11; stmnt12; ... :: guard2 -> stmnt21; stmnt22; ... :: guard2 -> stmnt21; stmnt22; ... :: ... :: ... fi do • If at least one guard is executable, the if/do statement is executable • If more than one guard is executable, one is selected non-deterministically • If none of the guard statements is executable, the if/do statement blocks • Any type of basic or compound statement can be used as a guard • ‘if’ statement checks once and continues; ‘do’ statement re-executes code until a break is reached EECI, Mar 2013 Richard M.