SPIN Search Algorithm from THE SPIN MODEL CHECKER

SPIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong, Shin 9 th Nov 2007 2020 -09 -30 SPIN Search Algorithm Hong, Shin @ PSWLAB 1 /24

Contents • • • Introduction Checking Safety Properties Checking Liveness Properties Adding Fairness Further work 2020 -09 -30 SPIN Search Algorithm Hong, Shin @ PSWLAB 2 /24

Introduction 1/1 • A global reachability graph A={S, s 0, L, T, F} is generated by PROMELA semantic engine. • Global reachability graph A captures the behavior of asynchronous execution of processes A 1 … Ak. • Verify correctness properties of PROMELA models. - Checking Safety properties - Checking Liveness properties 2020 -09 -30 SPIN Search Algorithm Hong, Shin @ PSWLAB 3 /24

Checking Safety Properties 1/7 • Depth-first search algorithm systematically visits every reachable state. • By depth-first searching, safety properties such as deadlock state, progress assertions, and system invariant that should hold at some state s can be checked. • A stack and a state space are used in the algorithm. 2020 -09 -30 SPIN Search Algorithm Hong, Shin @ PSWLAB 4 /24

Checking Safety Properties 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 2/7 Stack D = {} ; Statespace V = {} Start() { Add_Statespace(V, A. s 0) ; Push_Stack(D, A. s 0) ; Search() ; } Search() { s = Top_Stack(D) ; foreach (s, l, s’) 2 A. T if In_Statespace(V, s’) == false { Add_Statespace(V, s’) Push_Stack(D, s’) Search() } Pop_Stack(D) 16 2020 -09 -30 } Basic Depth-First Search Algorithm SPIN Search Algorithm Hong, Shin @ PSWLAB 5 /24

Checking Safety Properties 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 3/7 Stack D = {} ; Statespace V = {} Start() { Add_Statespace(V, A. s 0) ; Push_Stack(D, A. s 0) ; Search() ; } Search() { s = Top_Stack(D) ; if (!Safety(s)) Print_Stack(D) ; foreach (s, l, s’) 2 A. T if In_Statespace(V, s’) == false { Add_Statespace(V, s’) ; Push_Stack(D, s’) ; Search() ; } Pop_Stack(D) ; } Extended Algorithm for Checking Safety Properties 2020 -09 -30 SPIN Search Algorithm Hong, Shin @ PSWLAB 6 /24

Checking Safety Properties 4/7 • We can adopt the depth-first search algorithms easily into depth-limited search to guarantees coverage up to a given depth bound. S 0 S 1 Depth-limit is 2 S 2 e • Store the depth value together with each state in statespace V. 2020 -09 -30 SPIN Search Algorithm Hong, Shin @ PSWLAB 7 /24

Checking Safety Properties 1 2 3 4 5 6 5/7 Stack D = {} ; Statespace V = {} Start() { Add_Statespace(V, A. s 0) ; Push_Stack(D, A. s 0) ; Search() ; } Search() { 7 if (Depth >= BOUND) return ; 8 9 Depth++ ; s = Top_Stack(D) ; 10 11 12 if !Safety(s) Print_Stack(D) ; foreach (s, l, s’) 2 A. T if In_Statespace(V, s’, Depth) == false { 13 14 15 17 18 19 } 2020 -09 -30 Add_Statespace(V, s’, Depth) Push_Stack(D, s’) Search() } Depth for each state visiting is store in Pop_Stack(D) ; Depth-- ; SPIN Search Algorithm state space if pan. c is compiled with DREACH option. Depth-Limited Search Hong, Shin @ PSWLAB 8 /24

Checking Safety Properties 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Stack D = {} ; Start() { Push_Stack(D, A. s 0, 0) ; Search() ; } Search() { s = Top_Stack(D) ; if (!Safety(s)) { Print_Stack(D) ; if (iterative) BOUND = DEPTH ; } foreach (s, l, s’) 2 A. T if (In_Stack(D, s’) == false) { Push_Stack(D, s’) ; Search() ; } Pop_Stack(D); } 2020 -09 -30 SPIN Search Algorithm 6/7 Stateless Search Hong, Shin @ PSWLAB 9 /24

Checking Safety Properties 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 7/7 Queue D = {} ; Statespace V={} ; • Pros Start() { - Guarantee the shortest possible error Add_Statespace(V, A. s 0) ; • Cons - Additional work is necessary for Push_Stack(D, A. s 0) ; error trace generation Search() ; - Hard to extend beyond safety } properties Search() { while (Empty_Queue(D) == false) { s = Del_Queue(D) ; foreach (s, 1, s') 2 A. T { if (In_Statespace(V, s') == false) { Add_Statespace(V, s') ; Add_Queue(D, s') ; } } Breath-First Search Algorithm 2020 -09 -30 SPIN Search Algorithm Hong, Shin @ PSWLAB 10 /24

Checking Liveness Properties 1/5 • We can only have an infinite run in a finite system if the run is cyclic. • We are particularly interested in case where the set of states that are reached infinitely often contains one or more accepting states since these runs correspond to ! accepting run. • An accepting cycle in the global reachability graph exists if and only if (1) At least one accepting state is reachable from initial state. (2) At least one of those accepting state is reachable from itself. Use nested depth-first search algorithm for liveness properties checking. c. f. In synchronous product of automaton A = A 1 A 2 … A. F is the set of pairs (s 1, s 2) ∈ A. S where s 1 ∈ A 1. F or s 2 ∈ A 2. F 2020 -09 -30 SPIN Search Algorithm Hong, Shin @ PSWLAB 11 /24

Checking Liveness Properties 2/5 • Depth-first search determines that an accepting state has been reached, and all successors of that state have also been explored, it starts a nested search to see if the state is reachable from itself. Nested search in post-order • Store a copy of the accepting state in a global, called seed. • Store pairs of a state and a boolean variable toggle for stack and state space elements. 2020 -09 -30 SPIN Search Algorithm Hong, Shin @ PSWLAB 12 /24

Checking Liveness Properties 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 3/5 Stack D = {} ; Statespace V = {} ; State seed = nil ; Boolean toggle = false ; Start() { Add_Statespace(V, A. s 0, toggle) ; Push_Stack(D, A. s 0, toggle) ; Search() ; } Search() { (s, toggle) = Top_Stack(D) ; foreach (s, l, s’) 2 A. T { if (toggle == true) { if (s’ == seed || On_Stack(D, s’, false) { Print. Stack(D) ; Pop. Stack(D) ; return ; } } // end of if (toggle == true) 2020 -09 -30 SPIN Search Algorithm Hong, Shin @ PSWLAB 13 /24

Checking Liveness Properties 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 } // 2020 -09 -30 4/5 if (In_Statespace(V, s’, toggle) == false) { Add_Statespace(V, s’, toggle) ; Push_Stack(D, s’, toggle) ; Search() ; } } // end of foreach if (s 2 A. F && toggle == false) { seed = s ; toggle = true ; Push_Stack(D, s, toggle) ; Search() ; Pop_Stack() ; seed = nil ; toggle = false ; } // end of if Pop_Stack(D) ; end of Search() ; SPIN Search Algorithm Hong, Shin @ PSWLAB 14 /24

Checking Liveness Properties 5/5 • In nested search, if a successor was visited with toggle value true then it does not explore that successor. - Nested searching is excuted in post-order Za is seed accepting state Ze is a successor with toggle value true Zn is an accepting state from which Ze was reachable. Zn Ze Za 2020 -09 -30 SPIN Search Algorithm Hong, Shin @ PSWLAB 15 /24

Adding Fairness 1/8 • What will be the result from SPIN ? bit a = 0 ; active proctype A() { do : : a = 0 ; od ; } active proctype B() { do : : a = 1 ; od ; } never { accept_init: T 0_init: if : : (!a) -> goto T 0_init ; fi ; } 2020 -09 -30 SPIN Search Algorithm -bash-3. 1$. /a. out -a warning: for p. o. reduction to be valid the never claim must be stutter-invariant (never claims generated from LTL formulae are stutter-invariant) pan: acceptance cycle (at depth 0) pan: wrote fairness. pml. trail (Spin Version 4. 2. 7 -- 23 June 2006) : : -bash-3. 1$ spin -t -p fairness. pml Starting A with pid 0 Starting B with pid 1 Starting : never: with pid 2 <<<<<START OF CYCLE>>>>> Never claim moves to line 23 [(!(a))] 2: proc 0 (A) line 7 "fairness. pml" (state 1) [a = 0] spin: trail ends after 2 steps Hong, Shin @ PSWLAB 16 /24

Adding Fairness 2/8 Strong Fairness An !-run ¾ satisfies the strong fairness requirement if it contains infinitely many transitions from every component automaton that is enabled infinitely often in ¾. Weak Fairness An !-run ¾ satisfies the weak fairness requirement if it contains infinitely many transitions from every component automaton that is enabled infinitely long in ¾. * Component automaton Ai is said to be enabled at state s of global automaton A if s has at least one valid outgoing transition from Ai. 2020 -09 -30 SPIN Search Algorithm Hong, Shin @ PSWLAB 17 /24

Adding Fairness 3/8 • Chouseka’s flag construction method - SPIN only checks weak fairness of components. - For a global reachability graph A which is product of k component automaton A 1, A 2, … Ak. (1)Create k+2 copies(0 to k+1) of the global reachability graph. (2)Preserve the acceptance labels only in the 0 -th copy and remove the accepting labels from all states in the remaining copies. (3)Change the destination states for all outgoing transitions of accepting states in 0 -th copy to point to the same states in the 1 -st copy. (4)In the i-th copy(1 · i · k), change the destination of each transition that was contributed by component automaton Ai to the same state in the (i+1)-th copy. (5)For k+1 -th copy, change all transitions such that their destination state is now in the 0 -th copy. (6) Add null transition from every state s in i-th copy (1 · i · k) to the same state in the (i+1)-th copy whenever automaton component i has no enabled transitions in s. 2020 -09 -30 SPIN Search Algorithm Hong, Shin @ PSWLAB 18 /24

Adding Fairness 4/8 _pid 2 _pid 1 _pid = k _pid = 1. . k _pid = 2 _pid = 1. . k copy 0 copy 1 copy 2 copy k+1 (k + 2) Times Unfolded State Space for Weak Fairness 2020 -09 -30 SPIN Search Algorithm Hong, Shin @ PSWLAB 19 /24

Adding Fairness 5/8 • These changes do not add or remove behavior but it should be clear that any accepting !–run in (k+2) times unfolded state space now necessarily includes transitions from all k component automata. • Nested depth-first search can be used to detect all fair accepting runs in the original graph. • This algorithm can enforce weak fairness. • In SPIN implementation, each state holds 2(k+2) additional bits to represent (k+2) copies of global reachability graph. 2020 -09 -30 SPIN Search Algorithm Hong, Shin @ PSWLAB 20 /24

Adding Fairness bit a = 0 ; active proctype A() /* pid=1 */ { do : : (a == 0) -> accept: a = 1 ; od ; } active proctype B() /* pid=2 */ { do : : (a == 1) -> a = 0 ; od ; } 2020 -09 -30 SPIN Search Algorithm 6/8 S 1 a=0 pid=2 pid=1 S 2 a=1 Hong, Shin @ PSWLAB 21 /24

Adding Fairness copy 0 2020 -09 -30 7/8 copy 1 copy 2 copy 3 S 01 S 11 S 21 S 31 S 02 S 12 S 22 S 32 SPIN Search Algorithm Hong, Shin @ PSWLAB 22 /24

Adding Fairness 8/8 • add weak fairness (-f option of ‘pan’) bit a = 0 ; active proctype A() { do : : a = 0 ; od ; } active proctype B() { do : : a = 1 ; od ; } never { accept_init: T 0_init: if : : (!a) -> goto T 0_init ; fi ; } 2020 -09 -30 SPIN Search Algorithm . /a. out -f -a warning: for p. o. reduction to be valid the never claim must be stutter-invariant (never claims generated from LTL formulae are stutter-invariant) (Spin Version 4. 2. 7 -- 23 June 2006) + Partial Order Reduction Full statespace search for: never claim + assertion violations + (if within scope of claim) acceptance cycles + (fairness enabled) invalid end states - (disabled by never claim) Hong, Shin @ PSWLAB 23 /24

Further Works • Search Optimization (Ch. 9) – Partial Order Reduction, Bitstate Hashing, State Compressions, etc. 2020 -09 -30 SPIN Search Algorithm Hong, Shin @ PSWLAB 24 /24