Distributed Systems Programming F29NM1 SPIN: Formal Analysis II **Andrew Ireland** School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh # Overview - Introduce temporal logic. - Focus on SPIN's temporal reasoning capabilities, *i.e.* model checking. - Sketch the foundational issues that underpin model checking. #### The Story So Far ... - Verifying properties with respect to particular points within a process execution (local assertions) or across the whole execution of a system (global assertions). - Verifying properties with respect to complete execution cycles, both desirable (end-states & progress cycles) and undesirable (accept cycles). - But what if we want to reason about how properties change over time, *i.e.* reason about the temporal ordering of events? This calls for **temporal logic**. # Linear Temporal Logic (LTL) - LTL = Propositional Logic + Temporal Operators - Propositional constants: true, false any name that starts with a lowercase letter • Propositional operators: && conjunction || disjunction -> implication ! negation • Temporal operators: [] always <> eventually U until ## Some Generic Temporal Properties • Invariance (safety): []p During any execution trace all states satisfy p, e.g. []!(doors==open && lift==moving) • Response: [](p -> <>q) Every state that satisfies p is eventually followed by a state that satisfies q, e.g [](call\_lift -> <>(lift\_arrives)) • Precedence: [](p -> (q U r)) Every state that satisfies p is followed by a sequence of states that satisfy q and the sequence is terminated with a state that satisfies r, e.g. [](start\_lift ->(lift\_running U stop\_running) # Temporal Reasoning in SPIN - Step 1: Run the "LTL Property Manager". - Step 2: Enter the temporal property you wish to verify. Note that you must use lowercase names for propositional constants. - Step 3: Indicate whether the temporal property should hold on: - all executions (desired behaviour) or - no executions (error behaviour) - Step 4: Enter a macro-definition for each propositional constant within the "Symbol Definitions" sub-window. - Step 5: Press the "Run Verification" button and then "Run" button within the "LTL Verification" window. Note that LTL properties can be saved for future use (see the "Save As" and "Load" buttons). #### TrainWare Revisited #### • Desired behaviour: ``` []!(full(TunnelAB) || full(TunnelBC) || full(TunnelCD) || full(TunnelDA)) ``` This property should hold on **all executions**, *i.e.* always the case that none of the tunnels is occupied by more than one train. #### • Error behaviour: ``` <>(full(TunnelAB) || full(TunnelBC) || full(TunnelCD) || full(TunnelDA)) ``` This property should hold on **no executions**, *i.e.* if eventually a tunnel is occupied by more than one train then our design is flawed. The setup windows for the examples given above are presented on the following two slides ... # Complete Model of Division Algorithm ``` byte in1, in2; byte a, b, quo, rem; bit load = 0, done = 1; proctype quo_rem() do ::(load == 1) -> a = in1; b = in2; quo = 0; rem = a; done = 0; ::(load != 1) -> if :: (rem >= b) -> rem = rem-b; quo = quo+1; :: (b > rem) -> done = 1 fi od ``` # Modelling Hardware Environment - Environment (env) initiates register (a, b, quo, rem) initialization by setting load to 1. - While load is 1, hardware (quo\_rem) sets registers using the input values (in1, in2), done is set to 0 when complete. - Environment (env) initiates calculation by setting load to 0, load is held at this value until done becomes 1. # Verifying Responsiveness - Desired property: - In every state in which load is 1, a equals in1 and b equals in2, then eventually done will become 1 and the registers will satisfy (a == ((quo \* b) + rem)). - []((load == 1 && in1 == a && in2 == b) -> <> (done == 1 && a == ((quo \* b) + rem))) - Verification failure: - LTL verifier will fail to prove this property because SPIN's default execution model does not guarantee **fairness**. - In particular, if env never gets to set load to 0 then the calculation will never progress beyond the initialization phase. # Fairness - Fairness is a special case of liveness and relates to the how the underlying process scheduler deals with contention, *i.e.* clients competing for the same computational resource. - Notions of fairness: - Weak-fairness (just): a process that continuously makes a request will eventually be serviced. - Strong-fairness (compassionate): a process that makes a request infinitely often will eventually be serviced. ## Specifying Weak Fairness in SPIN - SPIN supports a weak-fairness model that can be selected via the "LTL Verification" window (a sub-window of "Linear Time Logic Formulae" window). - Alternatively, the weak-fairness requirement can be expressed explicitly within the LTL property: ``` [](done == 0 -> load == 0) -> []((load == 1 && in1 == a && in2 == b) -> <> (done == 1 && a == ((quo * b) + rem))) ``` Note that the extra condition ensures that whenever **done** is set to 0 then load will be 0, i.e. the **env** process will not be continuously blocked. Of course it is up to the implementor to ensure this assumption becomes a reality! ## Temporal Reasoning: How Does It Work? - A Promela model of a system is defined in terms of process templates. - System level verification requires a representation that expresses all possible behaviours that the system can exhibit. - To achieve this, SPIN translates each process template into a finite automaton. - A single automaton that models the behaviour of the whole system can be calculated by taking the **asynchronous** interleaving product of all the processes. - This product automaton defines the system model, *i.e.* the state space of the system, and is represented as a graph called the **reachability graph**. ## Temporal Reasoning: How Does It Work? - SPIN attempts to verify a **temporal property** by proving that its negation is not satisfied by the system model. - SPIN translates the negated temporal property into a special Promela process called a **never claim**. - A never claim defines behaviours that are undesirable or erroneous. Note that if verifying an error behaviour, then the original property is not negated. - Verification corresponds to checking that no execution sequence within the system model matches (synchronizes) with the never claim, *i.e.* no acceptance cycles are detected. - Matching is implemented at the level of the reachability graph and a graph representation of the never claim. ## Summary #### Learning outcomes: - To be able to understand & write temporal properties expressed in LTL. - To be able to use XSPIN to verify temporal properties of system models. - To understand the notion of fairness and how it relates to the behaviour of a system model. - To have a basic understanding of how SPIN's temporal reasoning mechanism works. #### Recommended reading: - "The Model Checker SPIN", G.J. Holzmann, IEEE Transactions on Software Engineering, Vol 23 (5), 1997. - "Concise Promela Reference" see course homepage