# CS477 Formal Software Development Methods

```
Elsa L Gunter
              2112 SC, UIUC
            egunter@illinois.edu
http://courses.engr.illinois.edu/cs477
```

Slides mostly a reproduction of Theo C. Ruys - SPIN Beginners' Tutorial

April 18 2018

never Claims

-v: verbose

reproducibility)

• never claims used to describe systemwide behavior that should be impossible

CS477 Formal Software Development Metho

• monitor process show similar idea

**SPIN Commandline Options** 

The following are some useful commandline options:

• -a: Generate code for project-specific verifier • Default: run SPIN as a simulator

• -s: Print send statements and their effects

• 1 Show changes to local variables

• g Show changes to global variables

• -uN Limit number of steps taken to N • -t Run simulation driven by an error trail • -kfilename use the trail file stored in filename

• -r: Print receive statements and their effects

• -p: Print at each state which process took which step

• -nN: Use N as random seed, instead of clock (good for

- monitor checks property is true in some interleaved fashion
- never claim check a proerty does not happen (anywhere in any
- never claim takes a step after every step of every other process

# SPIN Checking never claim

```
bash-3.2$ spin -p -v -n123 -l -g -k mutexwrong1a.pml.trail mut
spin: mutexwrong1a.pml:0, warning, proctype P, 'bit i' varia
starting claim 1
using statement merging
 1: proc - (never_0) mutexwrong1a.pml:15 (state 3) [else]
Never claim moves to line 15 [else]
Starting P with pid 2
  2: proc 0 (:init:) mutexwrong1a.pml:20 (state 1) [(run P(0)
Starting P with pid 3
 3: proc 0 (:init:) mutexwrong1a.pml:20 (state 2) [(run P(1)
  4: proc - (never_0) mutexwrong1a.pml:15 (state 3) [else]
 5: proc 2 (P) mutexwrong1a.pml:4 (state 1) [((flag!=1))]
          - (never_0) mutexwrong1a.pml:15 (state 3) [else]
 7: proc 1 (P) mutexwrong1a.pml:4 (state 1) [((flag!=1))]
  8: proc - (never_0) mutexwrong1a.pml:15 (state 3) [else]
```

# Common SPIN Workflow

- Write SPIN model; put in file filename
- Debug syntax with: spin -u1000 filename
- Check assertions, bad end states with:
  - spin -a filename
  - e gcc -o pan pan.c
  - ./pan
  - Read the output
  - If you have an error trail: spin -t -p filename
- To see if an LTL formula does not hold:
  - Put LTL formula in file ItIfile
  - spin -F ItIfile > neverclaimfile
  - spin -a -N neverclaimfile filename
  - gcc -o pan pan.c
  - ./pan
  - Read the output
  - If you have an error trail: spin -t -p filename

Never Claims: mutextwrong1a.pml

```
bit flag; /* signal entering/leaving the section */
byte mutex; /* # procs in the critical section. */
proctype P(bit i) {
  flag != 1;
  flag = 1;
  mutex++;
  printf("MSC: P(%d) has entered section\n", i);
  mutex--;
  flag = 0
never{ do
       :: ((mutex != 0)&&(mutex != 1)) -> break
       od }
init { atomic { run P(0); run P(1) } }
```

```
9: proc 2 (P) mutexwrong1a.pml:5 (state 2) [flag = 1]
flag = 1
10: proc - (never_0) mutexwrong1a.pml:15 (state 3) [else]
11: proc 2 (P) mutexwrong1a.pml:6 (state 3)
[mutex = (mutex+1)]
mutex = 1
12: proc - (never_0) mutexwrong1a.pml:15 (state 3) [else]
                 MSC: P(1) has entered section.
13: proc 2 (P) mutexwrong1a.pml:7 (state 4)
[printf('MSC: P(%d) has entered section.n',i)]
14: proc - (never_0) mutexwrong1a.pml:15 (state 3) [else]
15: proc 1 (P) mutexwrong1a.pml:5 (state 2) [flag = 1]
16: proc - (never_0) mutexwrong1a.pml:15 (state 3) [else]
17: proc 1 (P) mutexwrong1a.pml:6 (state 3)
[mutex = (mutex+1)]
mutex = 2
```

```
18: proc - (never_0) mutexwrong1a.pml:14 (state 1)
[(((mutex!=0)&&(mutex!=1)))]
Never claim moves to line 14 [(((mutex!=0)&&(mutex!=1)))]
spin: trail ends after 19 steps
#processes: 3
flag = 1
mutex = 2
19: proc 2 (P) mutexwrong1a.pml:8 (state 5)
19: proc 1 (P) mutexwrong1a.pml:7 (state 4)
19: proc 0 (:init:) mutexwrong1a.pml:21 (state 4) <valid end 19: proc - (never_0) mutexwrong1a.pml:17 (state 7) <valid end 3 processes created
```

# Traffic Light Example

```
mtype {NS, EW, Red, Yellow, Green}
bit Turn = 0;
mtype Color[2];

proctype Light(bit myId) {
   mtype otherId = 1 - myId;
   do
   :: Turn == myId && Color[myId] == Red
        -> Color[myId] = Green
   :: Color[myId] == Green -> Color[myId] = Yellow
   :: Color[myId] == Yellow
        -> Color[myId] = Red; Turn = otherId
   od
}
```

```
        ←□→←∅→←≥→←≥→
        ≥
        √Q

        CS477 Formal Software Development Method
        / 27
```

```
init { Color[0] = Red;
    Color[1] = Red;
    atomic{run Light(0); run Light(1)}
}
```

```
init { atomic{Color[0] = Red; Color[1] = Red};
        atomic{run Light(0); run Light(1)}
/* End of File: trafficlight.pml */
Can test this with
bash-3.2$ spin -p -l -g -u50 trafficlight.pml
  0: proc - (:root:) creates proc 0 (:init:)
  1: proc 0 (:init:) trafficlight.pml:18 (state 1) [Color[0] = Red
Color[0] = Red
Color[1] = 0
  2: proc 0 (:init:) trafficlight.pml:19 (state 2) [Color[1] = Red
Color[0] = Red
Color[1] = Red
Starting Light with pid 1
 3: proc 0 (:init:) creates proc 1 (Light)
3: proc 0 (:init:) trafficlight.pml:20 (state 5) [(run Light(0))]
Starting Light with pid 2
  4: proc 0 (:init:) creates proc 2 (Light)
  4: proc 0 (:init:) trafficlight.pml:20 (state 4) [(run Light(1))
                     CS477 Formal Software Development Metho
```

```
LTL to Never Claim
bash-3.2$ spin -f '<>(!(Color[0] == Red
 || Color[1] == Red))' >& trafficlightnever.pml
bash-3.2$ cat trafficlightnever.pml
never
           /* <>(!(Color[0] == Red || Color[1] == Red)) */
T0_init
do
:: atomic ((!(Color[0] == Red || Color[1] == Red)))
           -> assert(!((!(Color[0] == Red || Color[1] == Red))))
:: (1) -> goto T0_init
od:
accept_all:
skip
```

# Using never Claim in Separate File

```
To use file containing never claim:
bash-3.2$ spin -a -N trafficlightnever.pml trafficlight.pml
bash-3.2$ gcc -o pan pan.c
bash-3.2$ ./pan omissions
Full statespace search for:
never claim
                   + (never_0)
assertion violations + (if within scope of claim)
acceptance cycles - (not selected)
invalid end states - (disabled by never claim)
State-vector 44 byte, depth reached 26, errors: 0
       13 states, stored
       1 states, matched
       14 transitions (= stored+matched)
```

(1 of 17 states) unreached in init (0 of 4 states) unreached in claim never\_0 ./trafficlightnever.pml:9, state 10, "-end-" (1 of 10 states) pan: elapsed time 0.02 seconds pan: rate 650 states/second

./trafficlight.pml:17, state 17, "-end-"

Properties (1)

0 (resolved)

Model checking tools automatically verify whether

holds, where M is a (finite-state) model of a system and property  $\phi$  is stated in some formal notation.

- With SPIN one may check the following type of properties:
  - deadlocks (invalid endstates)

1 atomic steps

hash conflicts:

- assertions
- unreachable code
- LTL formulae
- liveness properties
  - · non-progress cycles (livelocks)
  - · acceptance cycles



Theo C. Ruys - SPIN Beginners' Tutorial



satisfied. Thursday 11-Apr-2002

Theo C. Ruys - SPIN Beginners' Tutorial

Process Light never ends, so its end state never reached

# Properties (2)

Historical Classification

### safety property

unreached in proctype Light

- "nothing bad ever happens"
- invariant
- x is always less than 5 deadlock freedom
- the system never reaches a state where no actions are possible
- SPIN: find a trace leading to the "bad" thing. If there is not

such a trace, the property is

### liveness property

- "something good will eventually happen"
- termination the system will eventually
- terminate if action X occurs then
- SPIN: find a (infinite) loop in which the "good" thing does not happen. If there is not such a loop, the property is satisfied.

eventually action Y will occur

















