The SPIN Model Checker

1
The SPIN Model Checker
2
SPIN Promela

• SPIN(Simple Promela Interpreter)
• tool for analyzing the logical consistency of
  concurrent systems
• concurrent systems are described in the modeling
  language called Promela
• Promela(Protocol/Process Meta Language)
• dynamic creation of concurrent processes
• communication via message channels
• specification language to model finite-state
  model
• very C like

3
What is SPIN?

• Press on the button model-checker
• Based on automata theory.
• Allows LTL or automata specification
• Efficient (on-the-fly model checking, partial
  order reduction).
• Developed in Bell Laboratories.

4
SPIN Architecture
LTL Translator
?
Simulator
XSPIN
SPIN
Promela Model M
Verifier Generator
C Program
Counter example
Checker
5
Spin capabilities

• Interactive simulation
• For a particular path
• For a random path
• Exhaustive verification
• Generate C code for verifier
• Compile the verifier and execute
• Returns counter-example
• Lots of options for fine-tuning

6
Promela Model

• Promela model consists of
• type declaration
• channel declarations
• variable declarations
• process declarations
• init process
• A Promela corresponds with a FSM, so
• no unbounded data
• no unbounded channels
• no unbounded processes
• no unbounded process creation

mytype MSG, ACK chan toS chan toR bool
flag proctype Sender() process
body proctype Receiver() process
body init
7
Processes

• A process type consists of
• a name
• a list of formal parameters
• local variable declarations
• body
• A process executes concurrently with all other
  processes, independent of speed of behaviour
• There may be several processes of the same type
• Each process has its own local state (process
  counter, local variables)

8
Process instantiation

• Processes are created using the run statement (it
  returns the process id) and start executing after
  it
• Processes can be created at any point in the
  execution
• Processes can also be activate by adding in front
  of the proctype declaration

proctype Foo(byte x) init int pid2run
Foo(2) run Foo(22) active ... proctype
Pippo()
9
Example

• proctype Sender(chan in chan out)
• bit sndB, rcvB
• do
• out ! MSG, sndB -gt
• in ? ACK, rcvB
• if
• sndB rcvB -gt sndB 1-sndB
• else -gt skip
• fi
• od

10
Variables and Types (1)

• Basic integer types bit, bool, byte, short, int
• Arrays fixed size
• byte a27
• bit flags4
• Records
• typedef Record
• short f1
• byte f2

11
Variables and Types (2)

• Variables should be declared
• int ii, bb
• Variables can be given a value by
• assignment
• bb1
• Rercord f
• f.bb1
• argument passing
• message passing

12
Statements (1)

• The body of a process consists of a sequence of
  statements. A statement is either
• executable the statement can be executed
  immediately.
• blocked the statement cannot be executed.
• An assignment is always executable.
• An expression is also a statement it is
  executable if it
• evaluates to non-zero.
• 2 lt 3 always executable
• x lt 27 only executable if value of x is smaller
  27
• 3 x executable if x is not equal to 3

13
Statements (2)

• The skip statement is always executable.
• does nothing, only changes process process
  counter
• A run statement is only executable if a new
  process can be created (remember the number of
  processes is bounded).
• A printf statement is always executable (but is
  not evaluated during verification, of course).
• assert(ltexprgt)
• The assert-statement is always executable.
• If ltexprgt evaluates to zero, SPIN will exit with
  an error, as the ltexprgt has been violated.
• The assert-statement is often used within Promela
  models, to check whether certain properties are
  valid in a state.

14
Interleaving Semantics

• Promela processes execute concurrently.
• Non-deterministic scheduling of the processes.
• Processes are interleaved (statements of
  different processes do not occur at the same
  time).
• exception rendez-vous communication.
• All statements are atomic each statement is
  executed without interleaving with other
  processes.
• Each process may have several different possible
  actions enabled at each point of execution.
• only one choice is made, non-deterministically.

15
Example
16
if-statement

• If
• choice1 -gt option1
• choice2 -gt option2
• else -gt option3 / optional /
• fi
• Cases need not be exhaustive or mutually
  exclusive
• Non-deterministic selection

17
Looping

• do
• xgty -gt xx-y
• ygtx -gt yy-x
• else goto outside
• od
• do
• (x gt y) -gt x x y
• (x lt y) -gt y y x
• (x y) -gt goto done
• od

18
Repetition

• proctype counter()
• do
• (count ! 0) -gt
• if
• count count 1
• count count 1
• fi
• (count 0) -gt break
• od

19
Executbility

• Declarations and assignments are always
  executable
• Conditionals are executable when they hold
• The following are the same
• while (a ! b) skip
• (a b)

20
Executability

• No difference between conditions and statements
• Execution of every statement is conditional on
  its executability
• Executability is the basic means of
  synchronization

21
Delimitors

• Semi-colon is used a statement separator not a
  statement terminator
• Last statement does not need semi-colon
• Often replaced by -gt to indicate causality
  between two successive statements
• (a b) c c 1
• (a b) -gt c c 1

22
Parameter passing

• proctype A(byte x short foo)
• (state 1) -gt state foo
• init run A(1,3)
• Data arrays or processes cannot be passed

23
Variable scoping

• Similar to C
• globals, locals, parameters
• byte foo, bar, baz
• proctype A(byte foo)
• byte bar
• baz foo bar

24
Races and deadlock

• byte state 1
• proctype A()
• (state 1) -gt state state 1
• proctype B()
• (state 1) -gt state state 1
• init run A() run B()

25
Atomic sequences

• byte state 1
• proctype A() atomic
• (state 1) -gt state state 1
• proctype B() atomic
• (state 1) -gt state state 1
• init() run A() run B()

26
Message types and channels

• mtype OK, READY, ACK
• mtype Mvar ACK
• chan Ng2 of byte, byte, mtype,
  Next0 of byte

27
Message passing

• Channel declaration
• chan qname 16 of short
• chan qname 5 of byte,int,chan,short
• Sending messages
• qname!expr
• qname!expr1,expr2,expr3
• Receiving messages
• qname?var
• qname?var1,var2,var3

28
Message passing

• More parameters sent
• Extra parameters dropped
• More parameters received
• Extra parameters undefined
• Fewer parameters sent
• Extra parameters undefined
• Fewer parameters received
• Extra parameters dropped

29
Message passing

• chan x 1 of bool
• chan y 1 of bool,bool
• proctype A(bool p, bool q) x!p,q y?p
• proctype B(bool p, bool q) x?p,q y!q
• init run A(1,2) run B(3,4)

30
Message passing

• Convention first message field often specifies
  message type (constant)
• Alternatively send message type followed by list
  of message fields in braces
• qname!expr1(expr2,expr3)
• qname?var1(var2,var3)

31
Executability

• Send is executable only when the channel is not
  full
• Receive is executable only when the channel is
  not empty
• Optionally some arguments of receive can be
  constants
• qname?RECV,var,10
• Value of constant fields must match value of
  corresponding fields of message at the head of
  channel queue

32
Queue length

• len(qname) returns the number of messages
  currently stored in qname
• If used as a statement it will be unexecutable if
  the channel is empty

33
Composite conditions

• Invalid in Promela
• (qname?var 0)
• (a gt b qname!123)
• Either send/receive or pure expression
• Can evaluate receives
• qname?ack,var

34
Subtle issues

• Consider the following
• qname?msgtype -gt qname?msgtype
• (len(qname) lt MAX) -gt qname!msgtype
• Second statement not necessarily executable after
  the first
• Race conditions

35
Rendezvous

• Channel of size 0 defines a rendezvous port
• Can be used by two processed for a synchronous
  handshake
• No queueing
• The first process blocks
• Handshake occurs after the second process arrives

36
Example

• define msgtype 33
• chan name 0 of byte,byte
• proctype A()
• name!msgtype(99) name!msgtype(100)
• proctype B() byte state name?msgtype(state)
• init run A() run B()

37
Control flow

• We have already seen some
• Concatenation of statements, parallel execution,
  atomic sequences
• There are a few more
• Case selection, repetition, unconditional jumps

38
Procedures and Recursion

• Procedures can be modeled as processes
• Even recursive ones
• Return values can be passed back to the calling
  process via a global variable or a message

39
Timeouts

• Proctype watchdog()
• do
• timeout -gt guard!reset
• od
• Get enabled when the entire system is deadlocked
• No absolute timing considerations

40
Assertions

• assert(any_boolean_condition)
• pure expression
• If condition holds -gt no effect
• If condition does not hold -gt error report during
  verification with Spin

41
Examples

• The railway problem

42
Properties

• .

43
Translating into SPIN

• mtype raise, lower, cross
• bool up
• bool app
• proctype Gate(chan req)
• up 1
• do
• req ? raise -gt up 1 printf("gate up")
• req ? lower -gt up 0 printf("gate down")
• up 0 -gt req ? cross printf("OK to
  cross")
• od

44

• proctype Train(chan toGate)
• do
• printf("approaching")app 1
• toGate ! lower
• printf("train in crossing")
• toGate ! raise app 0
• od

45

• proctype Car(chan toGate)
• do
• toGate ! cross
• printf("car crossed")
• od

46

• init
• chan request 0 of mtype
• run Gate(request)
• run Train(request)
• run Car(request)

47
Research trends

• Combine with theorem-proving (PVS).
• Parameterized verification.
• Verify the n-component system for all n.
• Pipelines with n stages.
• Cache protocol with n memory units.
• ..
• Infinite state systems
• Timed systems (TRIO Model Checker).
• Hybrid systems.