Modelling, Specification, and Verification of Distributed Systems VT'07, 5p

19-20 april, 8-9 maj, och 29-30 maj, 2007.

Contents , Schedule , Examination , Course Material , Info on SPIN

Background

Software systems are becoming an important part of the infrastructure of our society. Correctness and reliability have become issues of outmost importance. Testing and correction of software systems are irksome processes which typically consume half of the resources for system development. Thus, we need tools for analyzing software systems with the purpose of checking that they conform to their intended behavior, and for locating imperfections (``bugs'') that will cause run-time errors, security vulnerabilities, crashes, undelivered functionality, etc.

This course concentrates on techniques to verify and find bugs in concurrent and parallel software systems. Problems that arise from the parallel execution of several threads, processes, or components are particularly hard to find a diagnose. In particular, the course teaches model checking. Model checking techniques can automatically analyze a pseudo-code description of a communication protocol, a concurrent algorithm, etc. and find all potential errors. The course will also cover basics of structured testing for concurrent and parallel software, as well verification of software.

The material will be practically demonstrated with the tool SPIN. Spin supports a high level language to specify systems descriptions, called PROMELA (a PROcess MEta LAnguage). Spin has been used to trace logical design errors in distributed systems design, such as operating systems, data communications protocols, switching systems, concurrent algorithms, railway signaling protocols, etc. The tool checks the logical consistency of a specification. It reports on deadlocks, unspecified receptions, flags incompleteness, race conditions, and unwarranted assumptions about the relative speeds of processes. Spin can also be used to illustrate techniques in structured software testing, and has an extension to extract verification models from ANSI-C code.

The course is conducted in three two-day sessions. The topics covered at each session are:

First Session, April 19-20
The first session will cover modeling, specification, and verification, using the paradigm of linear-time temporal logic and the "automata-theoretic approach". It will also cover the SPIN tool and the Promela language, which are built on these concepts.

Motivation for and Overview of the course.
Modelling reactive systems
- The notions of modeling, analysis, verification, validation, and how they relate to the things in the course.
- Transition Systems.
Specification of Requirements/Linear Models
- How to specify correctness.
- safety and liveness.
- Temporal Logic(s)
- Automata over finite and infinite words
Verification
- Principles: the automata-theoretic approach
- Basic algorithms for checking reachability and repeated reachability properties
- Verification of temporal logic and automata properties.
SPIN and Promela

Second Session, May 8-9
The second session will cover algorithms that make the verification of correctness properties efficient. It will show how to optimize models to make them amenable to verification. Specific classes of protocols, distributed algorithms, etc. will be presented, modeled, and discussed from the point of view of verification.

Verification algorithms and optimizations
- Compression of state spaces
- Partial order reduction
- Atomic sequences
- Abstraction
Application to different types of algorithms and properties
- Communication protocols
- Synchronization protocols
- Security protocols
- Distributed algorithms.

Third Session, May 29-30
The third session will briefly cover extensions of the verification techniques to cover test generation and verification of software (given in ANSI-C). For the verification of ANSI-C programs, there is an extension of SPIN, ModEx, which transforms C programs into Promela to allow formal verification.

Testing and Test Generation
- Principles of black-box and white-box testing (functional vs. structural testing)
- Different criteria for test selection, based on reliability, coverage etc.
- Tools for test case generation
Verification of software
- Principles of software verification
- ModEx, a tool for extracting Promela models from ANSI-C programs.

The course will use the SPIN tool.

Preliminary Schedule

April 19-20, 2007: Uppsala Universitet, MIC, room 2:245
Preliminary Schedule April 19:
- 10.15-12.00 - Lectures
- 12.00-13.15 - Lunch
- 13.15-16.00 - Lectures
- 16.15-18.00 - Laboration
Preliminary Schedule April 20:
- 09.15-12.00 - Lectures
- 12.00-13.15 - Lunch
- 13.15-17.00 - Lectures and Exercises.
May 8-9, 2007: Uppsala Universitet, MIC, room 2:345
Preliminary Schedule May 8
- 10.15-12.00 - Lectures
- 12.00-13.15 - Lunch
- 13.15-16.00 - Lectures
- 16.15-18.00 - Exercises, looking at homework
Preliminary Schedule May 9
- 09.15-12.00 - Lectures
- 12.00-13.15 - Lunch
- 13.15-17.00 - Lectures and Exercises.
May 29-30, 2007: Uppsala Universitet, MIC, room 2:214
Preliminary Schedule May 29
- 10.15-12.00 - Lectures
- 12.00-13.15 - Lunch
- 13.15-15.00 - Lectures
- 15.15-17.00 - Exercises, looking at homework
Preliminary Schedule May 20
- 09.15-12.00 - Lectures
- 12.00-13.15 - Lunch
- 13.15-17.00 - Lectures and Conclusions

Examination

The following are part of examination

Homework Assignments will be given between sessions.

Homework Assignments

Homework 1 to be done until May 8.
Homework 2 to be done until May 29.

Course Material

Course material covering the different parts of the course:

Handouts will be given for the lectures.

Specification/Verification/Temporal Logic:
There are several written accounts of the automata-theoretic approach to formal verification, with varying degrees of accessibility. examples are

by Madhavan Mukund
An automata-theoretic approach to automatic program verification by Moshe Y. Vardi, and Pierre Wolper, Proc. First LICS, 1986, pp. 322-331. (PDF)
SPIN and Promela
- There is a rather new book,The SPIN MODEL CHECKER Primer and Reference Manual by Gerard Holzmann,
- There is an older book Design and Validation of Computer Protocols, G.J. Holzmann, Prentice Hall 1991, which is partly outdated, out of print, and can be downloaded from here.
- An overview paper of Spin, with verification examples, is: The Model Checker Spin, IEEE Trans. on Software Engineering, Vol. 23, No. 5, May 1997, pp. 279-295. (PDF)
- Spin Online References
SPIN Models: Here is a sequence of models used in lectures. ab1, ab2, ab3, ab4, ab5, ab6, ab7. ab8. ab9. ab10. wolf-sheep-cabbage. hippies problem. Bad example from IEEE paper.
Overnight exercise: trono1, trono2, trono3, trono4,
Elevator (due to Holzmann). 5 way handshake (full). 5 way handshake (abstraction).
Test Generation: To be Added
Software Verification: To be Added

SPIN: some information.

At the IT department, SPIN is installed in /stud/docs/kurs/ReactiveSystems/bin/spin

XSPIN is installed in /stud/docs/kurs/ReactiveSystems/bin/xspin

SPIN home page

Reference Material

Following are papers and books that are relevant for the course.

G.J. Holzmann. Protocol design: Redefining the state of the art. IEEE Software , 9(1):17--22, Jan. 1992. Can be downloaded from here
Symbolic Model Checking, Ken McMillan, Ph.Thesis (revised) Can be downloaded from here
E.M. Clarke and E.A. Emerson and A.P. Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. In ACM Transactions on Programming Languages and Systems, 8(2):244- 263, 1986
A.U. Shankar. An introduction to assertional reasoning for concurrent systems. Computing Surveys , 25(3):225--262, Sept. 1993.
E.M. Clarke, O. Grumberg, M. Minea, D. Peled: State space reduction using partial order techniques International Journal on Software Tools for Technology Transfer 2 (1999) 3, 279-287 Can be downloaded from here
Kim G. Larsen, Paul Pettersson, Wang Yi: UPPAAL in a nutshell International Journal on Software Tools for Technology Transfer 1 (1997) 1-2, 134-152 Can be downloaded from here
Model Checking, E.M.Clarke, O. Grumberg, D. Peled. MIT Press, December 1999. ISBN 0-262-03270-8
Symbolic Model Checking, Ken McMillan, Ph.Thesis (revised) Can be downloaded from here
Principles of Concurrent Programming, M. Ben-Ari, Prentics Hall
Design and Validation of Computer Protocols, G.J. Holzmann, Prentice Hall 1991, Can be downloaded from here
Parallel Program Design: a Foundation, K. Mani Chandy och Jayadev Misra, Addison-Wesley 1988,
The Temporal Logic of Reactive and Concurrent Systems, Z. Manna och A. Pnueli, Springer Verlag 1991.