SPIN Model Checker By Fred A Du Brock
SPIN Model Checker By Fred A. Du. Brock
SPIN Model Checker An overview l Spin is a tool for software model checking l Not meant for Hardware checking l Written by Gerard J. Holzmann, et al l Has evolved for more than 15 years
What is SPIN? l Automata-based model checker l Represents the negated Linear temporal logic property l It checks the model against Buchi automaton l It then performs a depth-first search for the recurrent reach ability of an accepting state of the product automaton
Model checking is a method to algorithmically verify finite state systems formally. l This is achieved by verifying if the model, often deriving from a hardware or software design, satisfies a logical specification. l The specification is often written as temporal logic formulas. l
l The model is usually expressed as a directed graph consisting of nodes (or vertices) and edges. l A set of atomic propositions is associated with each node. The nodes represents states of a program, the edges represent possible executions which alters the state, while the atomic propositions represent the basic properties that hold at a point of execution. l The problem can be expressed mathematically as: given a temporal logic formula p and a model M with initial state s, decide if : M, s models p.
Linear temporal logic l l Linear temporal logic (LTL) is a field of mathematical logic that is able to talk about the future of paths (LTL is a temporal logic). LTL is built up from proposition variables p 1, p 2, . . . , the usual logic connectives neg, or, and, rightarrow and the following temporal operators. LTL formulas are generally evaluated over paths and a position on that path. A LTL formula as such is satisfied if and only if it is satisfied for position 0 on that path.
Linear temporal logic
LTL Continued l l l However one can reduce to two of those operators since the following is always satisfied: * F φ = true U φ * G φ = ¬ F ¬φ * φRψ = ¬(¬φU¬ψ) LTL can be shown to be equivalent to the first-order logic over one successor and the smaller relation, FO[S, <] as well as star-free regular expressions or deterministic finite automata with loop complexity 0.
Büchi automaton l. A Büchi automaton is the extension of a finite state automaton to infinite inputs l It accepts an infinite input sequence, iff there exists a run of the automaton (in case of a deterministic automaton, there is exactly one possible run) which has infinitely many states in the set of final states.
Automata on infinite words are useful for specifying behavior of nonterminating systems, such as hardware or operating systems. l For such systems, you may want to specify a property such as "for every request, an acknowledge eventually follows", or its negation "there is a request which is not followed by an acknowledge". l The latter is a property of infinite words: you cannot say of a finite sequence that it satisfies this property. l
Depth-first search l Depth-first search (DFS) is an algorithm for traversing or searching a tree, tree structure, or graph. Intuitively, you start at the root (selecting some node as the root in the graph case) and explore as far as possible along each branch before backtracking.
l Formally, DFS is an uninformed search that progresses by expanding the first child node of the search tree that appears and thus going deeper and deeper until a goal state is found, or it hits a node that has no children. Then the search backtracks and starts off on the next node.
l Spin does not perform the model checking itself but generates C sources for a problem-specific model checker. This rather antique technique saves memory and speeds things up, and also allows to directly insert chunks of C code into the model
Finite state machine l A finite state machine (FSM) or finite automaton is a model of behavior composed of states, transitions and actions. A state stores information about the past, i. e. it reflects the input changes from the system start to the present moment. A transition indicates a state change and is described by a condition that would need to be fulfilled to enable the transition. An action is a description of an activity that is to be performed at a given moment.
References l http: //spinroot. com/spin/whatispin. html l http: //spinroot. com/spin/Doc/Book_extr as/index. html l “The Spin Model Checker” by Gerard J. Holzmann ISBN: 0321228626
- Slides: 20