A Promela front-end for Spot Guillaume Sadegh LRDE EPITA Research - - PowerPoint PPT Presentation

Introduction Promela and state-space generation Implementation Benchmark Conclusion

A Promela front-end for Spot

Guillaume Sadegh

LRDE – EPITA Research and Development Laboratory

July 02, 2008

Guillaume Sadegh A Promela front-end for Spot 1 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Spot [Duret-Lutz and Poitrenaud, 2004]

• Reminder. . .

◮ Model Checking library. ◮ Set of algorithms and data type to build a model checker. ◮ Relies on the automata-theoretic approach to model

checking.

Guillaume Sadegh A Promela front-end for Spot 2 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Automata-theoretic approach

High-level model M LTL formula ϕ

Figure: Automata-theoretic approach to model-checking.

Guillaume Sadegh A Promela front-end for Spot 3 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Automata-theoretic approach

High-level model M LTL formula ϕ State-graph generation State-graph automaton AM LTL-to-Büchi translation Negated formula automaton A¬ϕ

Figure: Automata-theoretic approach to model-checking.

Guillaume Sadegh A Promela front-end for Spot 3 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Automata-theoretic approach

High-level model M LTL formula ϕ State-graph generation State-graph automaton AM LTL-to-Büchi translation Negated formula automaton A¬ϕ

• Synch. product

Product automaton AM ⊗ A¬ϕ

Figure: Automata-theoretic approach to model-checking.

Guillaume Sadegh A Promela front-end for Spot 3 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Automata-theoretic approach

High-level model M LTL formula ϕ State-graph generation State-graph automaton AM LTL-to-Büchi translation Negated formula automaton A¬ϕ

• Synch. product

Product automaton AM ⊗ A¬ϕ Emptiness check M | = ϕ or counter-example

Figure: Automata-theoretic approach to model-checking.

Guillaume Sadegh A Promela front-end for Spot 3 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Automata-theoretic approach

Provided by Spot High-level model M LTL formula ϕ State-graph generation State-graph automaton AM LTL-to-Büchi translation Negated formula automaton A¬ϕ

• Synch. product

Product automaton AM ⊗ A¬ϕ Emptiness check M | = ϕ or counter-example

Figure: Automata-theoretic approach to model-checking.

Guillaume Sadegh A Promela front-end for Spot 3 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Automata-theoretic approach

Provided by Spot Missing High-level model M LTL formula ϕ State-graph generation State-graph automaton AM LTL-to-Büchi translation Negated formula automaton A¬ϕ

• Synch. product

Product automaton AM ⊗ A¬ϕ Emptiness check M | = ϕ or counter-example

Figure: Automata-theoretic approach to model-checking.

Guillaume Sadegh A Promela front-end for Spot 3 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Adding a Promela front-end

Why

• 1. To work on more abstract models.
• 2. To take advantage of a large set of models.
• 3. To compare Spot and another model checker (SPIN).

Guillaume Sadegh A Promela front-end for Spot 4 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Outline

1

Promela and state-space generation

2

Implementation Existing hack NIPS Virtual Machine

3

Benchmark

4

Conclusion

Guillaume Sadegh A Promela front-end for Spot 5 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Outline

1

Promela and state-space generation

2

Implementation Existing hack NIPS Virtual Machine

3

Benchmark

4

Conclusion

Guillaume Sadegh A Promela front-end for Spot 6 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Promela

High-level modeling language

Overview

◮ The modeling language of the SPIN model checker

[Holzmann, 1990].

◮ To represent concurrent systems with abstraction.

Why Promela ?

• 1. SPIN is the most used model-checker worldwide.
• 2. There is a large collection of Promela models to test or use

with our algorithms.

Guillaume Sadegh A Promela front-end for Spot 7 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Promela

High-level modeling language

Overview

◮ The modeling language of the SPIN model checker

[Holzmann, 1990].

◮ To represent concurrent systems with abstraction.

Why Promela ?

• 1. SPIN is the most used model-checker worldwide.
• 2. There is a large collection of Promela models to test or use

with our algorithms.

Guillaume Sadegh A Promela front-end for Spot 7 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Promela semantics

A Promela program is a set of

◮ Processes. ◮ Message channels. ◮ Variables.

Let’s see an example.

Guillaume Sadegh A Promela front-end for Spot 8 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Promela example

The dinning philosopher problem

Dining philosophers problem

✞ ☎

chan stick_1 = [ 1 ]

• f

{ bool } ; chan stick_2 = [ 1 ]

• f

{ bool } ; byte p1 , p2 ; /∗ Id

• f

processes ∗/ proctype philo (chan l e f t _ s t i c k , r i g h t _ s t i c k ) { do : : l e f t _ s t i c k ?_ ; /∗ Wait f o r data from the l e f t s t i c k ∗/ take_r : r i g h t _ s t i c k ?_ ; /∗ Wait f o r data from the r i g h t s t i c k ∗/ release_l : l e f t _ s t i c k ! 1 ; /∗ F i l l the l e f t s t i c k ∗/ release_r : r i g h t _ s t i c k ! 1 ; /∗ F i l l the r i g h t s t i c k ∗/

• d

} i n i t { atomic { stick_1 ! 1 ; stick_2 ! 1 ; p1 = run philo ( stick_1 , stick_2 ) ; /∗ Philosopher 1 ∗/ p2 = run philo ( stick_2 , stick_1 ) ; /∗ Philosopher 2 ∗/ } }

✝ ✆

Guillaume Sadegh A Promela front-end for Spot 9 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

State-space generation

with the philosophers stick_1: f stick_2: f p[p1]@take_r p[p1]@release_l p[p1]@release_r p[p2]@ take_r p[p2]@ release_l p[p2]@ release_r

proctype philo(chan left_s, right_s)

{ do :: left_s?_; /* Wait */ take_r: right_s?_; /* Wait */ release_l: left_s!1; /* Send */ release_r: right_s!1; /* Send */

• d

}

Guillaume Sadegh A Promela front-end for Spot 10 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

State-space generation

with the philosophers stick_1: f stick_2: f stick_1: f stick_2: e stick_1: e stick_2: f p[p1]@take_r p[p1]@release_l p[p1]@release_r p[p2]@ take_r p[p2]@ release_l p[p2]@ release_r

proctype philo(chan left_s, right_s)

{ do :: left_s?_; /* Wait */ take_r: right_s?_; /* Wait */ release_l: left_s!1; /* Send */ release_r: right_s!1; /* Send */

• d

}

Guillaume Sadegh A Promela front-end for Spot 10 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

State-space generation

with the philosophers stick_1: f stick_2: f stick_1: f stick_2: e stick_1: e stick_2: f stick_1: e stick_2: e stick_1: e stick_2: e stick_1: e stick_2: e p[p1]@take_r p[p1]@release_l p[p1]@release_r p[p2]@ take_r p[p2]@ release_l p[p2]@ release_r

proctype philo(chan left_s, right_s)

{ do :: left_s?_; /* Wait */ take_r: right_s?_; /* Wait */ release_l: left_s!1; /* Send */ release_r: right_s!1; /* Send */

• d

}

Guillaume Sadegh A Promela front-end for Spot 10 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

State-space generation

with the philosophers stick_1: f stick_2: f stick_1: f stick_2: e stick_1: e stick_2: f stick_1: e stick_2: e stick_1: e stick_2: e stick_1: e stick_2: e stick_1: f stick_2: e stick_1: e stick_2: f p[p1]@take_r p[p1]@release_l p[p1]@release_r p[p2]@ take_r p[p2]@ release_l p[p2]@ release_r

proctype philo(chan left_s, right_s)

{ do :: left_s?_; /* Wait */ take_r: right_s?_; /* Wait */ release_l: left_s!1; /* Send */ release_r: right_s!1; /* Send */

• d

}

Guillaume Sadegh A Promela front-end for Spot 10 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

State-space generation

with the philosophers stick_1: f stick_2: f stick_1: f stick_2: e stick_1: e stick_2: f stick_1: e stick_2: e stick_1: e stick_2: e stick_1: e stick_2: e stick_1: f stick_2: e stick_1: e stick_2: f p[p1]@take_r p[p1]@release_l p[p1]@release_r p[p2]@ take_r p[p2]@ release_l p[p2]@ release_r

proctype philo(chan left_s, right_s)

{ do :: left_s?_; /* Wait */ take_r: right_s?_; /* Wait */ release_l: left_s!1; /* Send */ release_r: right_s!1; /* Send */

• d

}

Guillaume Sadegh A Promela front-end for Spot 10 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

never claims

LTL formulæ in Promela

For our example

◮ “Does the process philosopher 1 always run ?” ◮ In LTL: GF(♣❤✐❧♦[♣✶]@r❡❧❡❛s❡_r)

✞ ☎

never { T0 _ i ni t : i f : : ( philo [ p1 ] @release_r ) −> goto accept_S9 : : (1) −> goto T0 _ i ni t f i ; accept_S9 : i f : : (1) −> goto T0 _ i ni t f i ; }

✝ ✆

Guillaume Sadegh A Promela front-end for Spot 11 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

State-space generation

with the philosophers. . . and never claims stick_1: f stick_2: f stick_1: f stick_2: e stick_1: e stick_2: e stick_1: e stick_2: f stick_1: e stick_2: f stick_1: e stick_2: e stick_1: f stick_2: e stick_1: e stick_2: e p[p1]@take_r p[p1]@release_l p[p1]@release_r p[p2]@ take_r p[p2]@ release_l p[p2]@ release_r

Guillaume Sadegh A Promela front-end for Spot 12 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Outline

1

Promela and state-space generation

2

Implementation Existing hack NIPS Virtual Machine

3

Benchmark

4

Conclusion

Guillaume Sadegh A Promela front-end for Spot 13 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Promela in Spot

We have to deal with

◮ Combinatorial explosion. ◮ On-the-fly computation. ◮ Promela semantics.

Guillaume Sadegh A Promela front-end for Spot 14 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Promela in Spot

We have to deal with

◮ Combinatorial explosion. ◮ On-the-fly computation. ◮ Promela semantics.

Guillaume Sadegh A Promela front-end for Spot 14 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Promela in Spot

We have to deal with

◮ Combinatorial explosion. ◮ On-the-fly computation. ◮ Promela semantics.

Guillaume Sadegh A Promela front-end for Spot 14 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion Existing hack

Existing hack

Using SPIN

◮ SPIN has a verbose option (for debugging). ◮ A script used to generate a TGBA file with SPIN. ◮ We can not explore the graph on-the-fly. ◮ We need SPIN ◮ Generated automata were huge

Guillaume Sadegh A Promela front-end for Spot 15 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion NIPS Virtual Machine

The NIPS Virtual Machine [Weber, 2007]

Overview

◮ A virtual machine for state-space generation. ◮ Generate the state-space, and provide functions to explore

it.

◮ Input: NIPS bytecode, generated from a Promela model.

The virtual machine has been added to Spot (GPL), and interfaced as a TGBA.

Guillaume Sadegh A Promela front-end for Spot 16 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion NIPS Virtual Machine

The NIPS Virtual Machine [Weber, 2007]

Overview

◮ A virtual machine for state-space generation. ◮ Generate the state-space, and provide functions to explore

it.

◮ Input: NIPS bytecode, generated from a Promela model.

The virtual machine has been added to Spot (GPL), and interfaced as a TGBA.

Guillaume Sadegh A Promela front-end for Spot 16 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion NIPS Virtual Machine

The NIPS Virtual Machine [Weber, 2007]

Expected interface with Spot Provided by Spot NIPS Compiler High-level model M LTL formula ϕ State-graph generation with NIPSVM State-graph automaton AM LTL-to-Büchi translation Negated formula automaton A¬ϕ

• Synch. product

Product automaton AM ⊗ A¬ϕ Emptiness check M | = ϕ or counter-example

Guillaume Sadegh A Promela front-end for Spot 17 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion NIPS Virtual Machine

The NIPS Virtual Machine [Weber, 2007]

Drawbacks of the VM

• 1. In the NIPS bytecode, states properties are unamed. We

can not do the synchronized product with negated LTL formula.

• 2. The bytecode does not handle all the Promela semantics.

However

◮ We can use never claims to express properties. ◮ We can use our emptiness check algorithms.

Guillaume Sadegh A Promela front-end for Spot 18 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion NIPS Virtual Machine

The NIPS Virtual Machine [Weber, 2007]

Drawbacks of the VM

• 1. In the NIPS bytecode, states properties are unamed. We

can not do the synchronized product with negated LTL formula.

• 2. The bytecode does not handle all the Promela semantics.

However

◮ We can use never claims to express properties. ◮ We can use our emptiness check algorithms.

Guillaume Sadegh A Promela front-end for Spot 18 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion NIPS Virtual Machine

The NIPS Virtual Machine [Weber, 2007]

NIPS in Spot Spot High-level model M (Promela) LTL formula ϕ (as a never claim) NIPS compiler Bytecode NIPSVM

(state space generator)

TGBA Emptiness check M | = ϕ or counter-example

Figure: Spot with NIPS.

Guillaume Sadegh A Promela front-end for Spot 19 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Outline

1

Promela and state-space generation

2

Implementation Existing hack NIPS Virtual Machine

3

Benchmark

4

Conclusion

Guillaume Sadegh A Promela front-end for Spot 20 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Benchmark

Why

◮ To compare same models as SPIN. ◮ We know that we are less efficient than SPIN.

Guillaume Sadegh A Promela front-end for Spot 21 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Benchmark: Memory consumption

Results – An electro-mechanical relay circuits. [van Eijk, 1997]

SPIN Spot 5 circuits

0M 1M 2M 3M 4M 5M 6M 7M

4M 7M

48772 states. 350638 transitions.

6 circuits

0M 5M 10M 15M 20M 25M 30M 35M

7M 35M

248280 states. 2038280 transitions.

7 circuits

0M 30M 60M 90M 120M 150M 180M

32M

166M

1285188 states. 11863791 transitions.

Guillaume Sadegh A Promela front-end for Spot 22 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Outline

1

Promela and state-space generation

2

Implementation Existing hack NIPS Virtual Machine

3

Benchmark

4

Conclusion

Guillaume Sadegh A Promela front-end for Spot 23 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Conclusion

Achievement

◮ Some algorithms of Spot can be used with Promela.

◮ We can compare emptiness check algorithms of Spot and

SPIN.

Future Work

◮ A state-graph without the lost of names.

◮ Extend SPIN to generate a state-space explorer. ◮ Write a Promela state-space explorer from scratch. Guillaume Sadegh A Promela front-end for Spot 24 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Conclusion

Achievement

◮ Some algorithms of Spot can be used with Promela.

◮ We can compare emptiness check algorithms of Spot and

SPIN.

Future Work

◮ A state-graph without the lost of names.

◮ Extend SPIN to generate a state-space explorer. ◮ Write a Promela state-space explorer from scratch. Guillaume Sadegh A Promela front-end for Spot 24 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Questions

Guillaume Sadegh A Promela front-end for Spot 25 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Bibliography I

Duret-Lutz, A. and Poitrenaud, D. (2004). Spot: an extensible model checking library using transition-based generalized Büchi automata. In Proceedings of the 12th IEEE/ACM International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS’04). Holzmann, G. J. (1990). Design And Validation Of Computer Protocols. Prentice Hall PTR.

Guillaume Sadegh A Promela front-end for Spot 26 / 27

Introduction Promela and state-space generation Implementation Benchmark Conclusion

Bibliography II

van Eijk, P . (1997). Verifying relay circuits using state machines. In International SPIN Workshop. Weber, M. (2007). An embeddable virtual machine for state space generation. In SPIN 2007, pages 168–186.

Guillaume Sadegh A Promela front-end for Spot 27 / 27