SPIN Search Algorithm
from “THE SPIN MODEL CHECKER” by G Holzmann
Presented by Hong,Shin
9th Nov 2007
2017-07-28
SPIN Search Algorithm
Hong,Shin @ PSWLAB
1
/24
Contents
•
•
•
•
•
Introduction
Checking Safety Properties
Checking Liveness Properties
Adding Fairness
Further work
2017-07-28
SPIN Search Algorithm
Hong,Shin @ PSWLAB
2
/24
Introduction
1/1
• A global reachability graph A={S, s0, L, T, F} is generated by
PROMELA semantic engine.
• Global reachability graph A captures the behavior of
asynchronous execution of processes A1 … Ak.
• Verify correctness properties of PROMELA models.
- Checking Safety properties
- Checking Liveness properties
2017-07-28
SPIN Search Algorithm
Hong,Shin @ PSWLAB
3
/24
Checking Safety Properties
1/7
• Depth-first search algorithm systematically visits every
reachable state.
• By depth-first searching, safety properties such as deadlock
state, progress assertions, and system invariant that should
hold at some state s can be checked.
• A stack and a state space are used in the algorithm.
2017-07-28
SPIN Search Algorithm
Hong,Shin @ PSWLAB
4
/24
Checking Safety Properties
2/7
1 Stack D = {} ; Statespace V = {}
2 Start() {
3
Add_Statespace(V, A.s0) ;
4
Push_Stack(D, A.s0) ;
5
Search() ;
6 }
7 Search() {
8
s = Top_Stack(D) ;
9
foreach (s,l,s’) 2 A.T
10
if In_Statespace(V, s’) == false {
11
Add_Statespace(V, s’)
12
Push_Stack(D, s’)
13
Search()
14
}
15
Pop_Stack(D)
16
2017-07-28
}
Basic Depth-First Search Algorithm
SPIN Search Algorithm
Hong,Shin @ PSWLAB
5
/24
Checking Safety Properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
3/7
Stack D = {} ; Statespace V = {}
Start() {
Add_Statespace(V, A.s0) ;
Push_Stack(D, A.s0) ;
Search() ;
}
Search() {
s = Top_Stack(D) ;
if (!Safety(s)) Print_Stack(D) ;
foreach (s,l,s’) 2 A.T
if In_Statespace(V, s’) == false {
Add_Statespace(V, s’) ;
Push_Stack(D, s’) ;
Search() ;
}
Pop_Stack(D) ;
}
Extended Algorithm for Checking Safety Properties
2017-07-28
SPIN Search Algorithm
Hong,Shin @ PSWLAB
6
/24
Checking Safety Properties
4/7
• We can adopt the depth-first search algorithms easily into
depth-limited search to guarantees coverage up to a given
depth bound.
S0
S1
Depth-limit is 2
S2
e
• Store the depth value together with each state in
statespace V.
2017-07-28
SPIN Search Algorithm
Hong,Shin @ PSWLAB
7
/24
Checking Safety Properties
1
2
3
4
5
6
5/7
Stack D = {} ; Statespace V = {}
Start() {
Add_Statespace(V, A.s0) ;
Push_Stack(D, A.s0) ;
Search() ;}
Search() {
7
if (Depth >= BOUND) return ;
8
9
Depth++ ;
s = Top_Stack(D) ;
10
11
12
if !Safety(s) Print_Stack(D) ;
foreach (s,l,s’) 2 A.T
if In_Statespace(V, s’, Depth) == false {
13
14
15
17
18
19 }
2017-07-28
Add_Statespace(V, s’, Depth)
Push_Stack(D, s’)
Search() }
Depth for each state visiting is store in
Pop_Stack(D) ;
Depth-- ;
state space if pan.c is compiled with
DREACH option.
Depth-Limited Search
SPIN Search Algorithm
Hong,Shin @ PSWLAB
8
/24
Checking Safety Properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Stack D = {} ;
Start() {
Push_Stack(D, A.s0,0) ;
Search() ;
}
Search() {
s = Top_Stack(D) ;
if (!Safety(s)) {
Print_Stack(D) ;
if (iterative) BOUND = DEPTH ;
}
foreach (s,l,s’) 2 A.T
if (In_Stack(D, s’) == false) {
Push_Stack(D, s’) ;
Search() ;
}
Pop_Stack(D);
}
2017-07-28
SPIN Search Algorithm
6/7
Stateless Search
Hong,Shin @ PSWLAB
9
/24
Checking Safety Properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Queue D = {} ; Statespace V={} ;
7/7
• Pros
- Guarantee the shortest possible error
• Cons
- Additional work is necessary for
error trace generation
- Hard to extend beyond safety
properties
Start() {
Add_Statespace(V, A.s0) ;
Push_Stack(D, A.s0) ;
Search() ;
}
Search() {
while (Empty_Queue(D) == false) {
s = Del_Queue(D) ;
foreach (s,1,s') 2 A.T {
if (In_Statespace(V, s') == false) {
Add_Statespace(V, s') ;
Add_Queue(D, s') ;
}
}
}
}
Breath-First Search Algorithm
2017-07-28
SPIN Search Algorithm
Hong,Shin @ PSWLAB
10
/24
Checking Liveness Properties
1/5
• We can only have an infinite run in a finite system if the
run is cyclic.
• We are particularly interested in case where the set of
states that are reached infinitely often contains one or
more accepting states since these runs correspond to !
accepting run.
• An accepting cycle in the global reachability graph exists if
and only if
(1) At least one accepting state is reachable from initial state.
(2) At least one of those accepting state is reachable from itself.
 Use nested depth-first search algorithm for liveness
properties checking.
c.f. In synchronous product of automaton A = A1 A2
… A.F is the set of pairs (s1, s2) ∈ A.S where s1 ∈ A1.F or s2 ∈ A2.F
2017-07-28
SPIN Search Algorithm
Hong,Shin @ PSWLAB
11
/24
Checking Liveness Properties
2/5
• Depth-first search determines that an accepting
state has been reached, and all successors of that
state have also been explored, it starts a nested
search to see if the state is reachable from itself.
 Nested search in post-order
• Store a copy of the accepting state in a global,
called seed.
• Store pairs of a state and a boolean variable
toggle for stack and state space elements.
2017-07-28
SPIN Search Algorithm
Hong,Shin @ PSWLAB
12
/24
Checking Liveness Properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
3/5
Stack D = {} ;
Statespace V = {} ;
State seed = nil ;
Boolean toggle = false ;
Start() {
Add_Statespace(V, A.s0, toggle) ;
Push_Stack(D, A.s0, toggle) ;
Search() ;
}
Search() {
(s, toggle) = Top_Stack(D) ;
foreach (s, l, s’) 2 A.T {
if (toggle == true) {
if (s’ == seed || On_Stack(D, s’, false) {
PrintStack(D) ;
PopStack(D) ;
return ; }
} // end of if (toggle == true)
2017-07-28
SPIN Search Algorithm
Hong,Shin @ PSWLAB
13
/24
Checking Liveness Properties
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35 } //
2017-07-28
4/5
if (In_Statespace(V, s’, toggle) == false) {
Add_Statespace(V, s’, toggle) ;
Push_Stack(D, s’, toggle) ;
Search() ;
}
} // end of foreach
if (s 2 A.F && toggle == false) {
seed = s ;
toggle = true ;
Push_Stack(D, s, toggle) ;
Search() ;
Pop_Stack() ;
seed = nil ;
toggle = false ;
} // end of if
Pop_Stack(D) ;
end of Search() ;
SPIN Search Algorithm
Hong,Shin @ PSWLAB
14
/24
Checking Liveness Properties
5/5
• In nested search, if a successor was visited with toggle
value true then it does not explore that successor.
-
Nested searching is excuted in post-order
Za is seed accepting state
Ze is a successor with toggle value true
Zn is an accepting state from which Ze was reachable.
Zn
Ze
Za
2017-07-28
SPIN Search Algorithm
Hong,Shin @ PSWLAB
15
/24
Adding Fairness
1/8
• What will be the result from SPIN ?
bit a = 0 ;
active proctype A()
{
do :: a = 0 ; od ;
}
active proctype B()
{
do :: a = 1 ; od ;
}
never {
accept_init:
T0_init:
if
:: (!a) -> goto T0_init ;
fi ;
}
2017-07-28
SPIN Search Algorithm
-bash-3.1$ ./a.out -a
warning: for p.o. reduction to be valid the
never claim must be stutter-invariant
(never claims generated from LTL
formulae are stutter-invariant)
pan: acceptance cycle (at depth 0)
pan: wrote fairness.pml.trail
(Spin Version 4.2.7 -- 23 June 2006)
:
:
-bash-3.1$ spin -t -p fairness.pml
Starting A with pid 0
Starting B with pid 1
Starting :never: with pid 2
<<<<<START OF CYCLE>>>>>
Never claim moves to line 23 [(!(a))]
2: proc 0 (A) line 7 "fairness.pml"
(state 1) [a = 0]
spin: trail ends after 2 steps
Hong,Shin @ PSWLAB
16
/24
Adding Fairness
2/8
Strong Fairness
An !-run ¾ satisfies the strong fairness requirement if it contains
infinitely many transitions from every component automaton that is
enabled infinitely often in ¾.
Weak Fairness
An !-run ¾ satisfies the weak fairness requirement if it contains
infinitely many transitions from every component automaton that is
enabled infinitely long in ¾.
* Component automaton Ai is said to be enabled at state s of global automaton
A if s has at least one valid outgoing transition from Ai.
2017-07-28
SPIN Search Algorithm
Hong,Shin @ PSWLAB
17
/24
Adding Fairness
3/8
• Chouseka’s flag construction method
- SPIN only checks weak fairness of components.
- For a global reachability graph A which is product of k component
automaton A1, A2, … Ak.
(1)Create k+2 copies(0 to k+1) of the global reachability graph.
(2)Preserve the acceptance labels only in the 0-th copy and
remove the accepting labels from all states in the remaining copies.
(3)Change the destination states for all outgoing transitions of accepting states
in 0-th copy to point to the same states in the 1-st copy.
(4)In the i-th copy(1 · i · k), change the destination of each transition that was
contributed by component automaton Ai to the same state in the (i+1)-th
copy.
(5)For k+1-th copy, change all transitions such that their destination state is now
in the 0-th copy.
(6) Add null transition from every state s in i-th copy (1 · i · k) to the same
state in the (i+1)-th copy whenever automaton component i has no enabled
transitions in s.
2017-07-28
SPIN Search Algorithm
Hong,Shin @ PSWLAB
18
/24
Adding Fairness
4/8
_pid  2
_pid  1
_pid = k
_pid = 1
_pid = 1..k
_pid = 2
_pid = 1..k
copy0
copy1
copy2
copy k+1
(k + 2) Times Unfolded State Space for Weak Fairness
2017-07-28
SPIN Search Algorithm
Hong,Shin @ PSWLAB
19
/24
Adding Fairness
5/8
• These changes do not add or remove behavior but it
should be clear that any accepting !–run in (k+2) times
unfolded state space now necessarily includes transitions
from all k component automata.
• Nested depth-first search can be used to detect all fair
accepting runs in the original graph.
• This algorithm can enforce weak fairness.
• In SPIN implementation, each state holds 2(k+2) additional
bits to represent (k+2) copies of global reachability graph.
2017-07-28
SPIN Search Algorithm
Hong,Shin @ PSWLAB
20
/24
Adding Fairness
bit a = 0 ;
active proctype A() /* pid=1 */
{
do
:: (a == 0) ->
accept:
a = 1 ;
od ;
}
active proctype B() /* pid=2 */
{
do
:: (a == 1) -> a = 0 ;
od ;
}
2017-07-28
SPIN Search Algorithm
6/8
S1
a=0
pid=2
pid=1
S2
a=1
Hong,Shin @ PSWLAB
21
/24
Adding Fairness
copy 0
2017-07-28
7/8
copy1
copy2
copy3
S01
S11
S21
S31
S02
S12
S22
S32
SPIN Search Algorithm
Hong,Shin @ PSWLAB
22
/24
Adding Fairness
8/8
• add weak fairness (-f option of ‘pan’)
bit a = 0 ;
active proctype A()
{
do :: a = 0 ; od ;
}
active proctype B()
{
do :: a = 1 ; od ;
}
never {
accept_init:
T0_init:
if
:: (!a) -> goto T0_init ;
fi ;
}
2017-07-28
SPIN Search Algorithm
./a.out -f -a
warning: for p.o. reduction to be valid the
never claim must be stutter-invariant
(never claims generated from LTL
formulae are stutter-invariant)
(Spin Version 4.2.7 -- 23 June 2006)
+ Partial Order Reduction
Full statespace search for:
never claim
+
assertion violations + (if within
scope of claim)
acceptance cycles
+ (fairness
enabled)
invalid end states
- (disabled by
never claim)
Hong,Shin @ PSWLAB
23
/24
Further Works
• Search Optimization (Ch. 9)
– Partial Order Reduction, Bitstate Hashing, State
Compressions, etc.
2017-07-28
SPIN Search Algorithm
Hong,Shin @ PSWLAB
24
/24