the spin system. what is spin? model-checker. based on automata theory. allows ltl or automata...
TRANSCRIPT
![Page 1: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/1.jpg)
The SPIN System
![Page 2: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/2.jpg)
What is SPIN?
Model-checker. Based on automata theory. Allows LTL or automata
specification Efficient (on-the-fly model
checking, partial order reduction). Developed in Bell Laboratories.
![Page 3: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/3.jpg)
Documentation
Paper: The model checker SPIN,G.J. Holzmann, IEEE Transactions on Software Engineering, Vol 23, 279-295.
Web: http://netlib.belllabs.com/netlib/spin/whatispin.html
![Page 4: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/4.jpg)
The language of SPIN
The expressions are from C. The communication is from CSP. The constructs are from Guarded
Command.
![Page 5: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/5.jpg)
Expressions
Arithmetic: +, -, *, /, % Comparison: >, >=, <, <=, ==,
!= Boolean: &&, ||, ! Assignment: = Increment/decrement: ++, --
![Page 6: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/6.jpg)
Declaration
byte name1, name2=4, name3; bit b1,b2,b3; short s1,s2; int arr1[5];
![Page 7: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/7.jpg)
Message types and channels
mtype = {OK, READY, ACK} mtype Mvar = ACK
chan Ng=[2] of {byte, byte, mtype}, Next=[0] of {byte}
![Page 8: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/8.jpg)
Condition
if:: x%2==1 -> z=z*y; x--:: x%2==0 -> y=y*y; x=x/2fi
![Page 9: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/9.jpg)
Looping
do:: x>y -> x=x-y:: y>x -> y=y-x:: else goto outsideod;outside: …
![Page 10: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/10.jpg)
Processes
Proctype prname (byte Id; chan Comm){ statements}run prname (7, Con[1]);
active [12] proctype prname (…) { … }
![Page 11: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/11.jpg)
Init process
init { statements }init {byte I=0; atomic{do ::I<10 -> run prname(I, chan[I]);
I=I+1 ::I=10 -> break od}}
![Page 12: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/12.jpg)
Exmaples of Mutual exclusion
Reference:A. Ben-Ari, Principles of Concurrent
and Distributed Programs, Prentice-Hall 1990.
![Page 13: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/13.jpg)
General structure
loop
Non_Critical_Section;
TR:Pre_Protocol; CR:Critical_Section; Post_protocol;end loop;
Propositions:inCRi, inTRi.
![Page 14: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/14.jpg)
Properties
loop
Non_Critical_Section;
TR:Pre_Protocol; CR:Critical_Section; Post_protocol;end loop;
Assumption:~<>[]inCRiRequirements:[]~(inCR0/\inCR1)[](inTRi--><>inCRi)Not assuming:[]<>inTRi
![Page 15: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/15.jpg)
Turn:bit:=1;
task P0 is
begin
loop
Non_Critical_Sec;
Wait Turn=0;
Critical_Sec;
Turn:=1;
end loop
end P0.
task P1 is
begin
loop
Non_Critical_Sec;
Wait Turn=1;
Critical_Sec;
Turn:=0;
end loop
end P1.
![Page 16: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/16.jpg)
Translating into SPIN
#define critical (incrit[0] ||incrit[1])
byte turn=0, incrit[2]=0;proctype P (bool id){ do :: 1 -> do :: 1 -> skip :: 1 -> break od;
try:do ::turn==id -> break od; cr:incrit[id]=1; incrit[id]=0; turn=1-turn od}init { atomic{ run P(0); run P(1) } }
![Page 17: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/17.jpg)
The leader election algorithm
A directed ring of computers. Each has a unique value. Communication is from left to right.
Find out which value is the greatest.
![Page 18: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/18.jpg)
Example
7
2
312
9
4
![Page 19: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/19.jpg)
Informal description:
Initially, all the processes are active.
A process that finds out it does not represent a value that can be maximal turns to be passive.
A passive process just transfers values from left to right.
![Page 20: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/20.jpg)
More description
The algorithm executes in phases. In each phase, each process first sends
itscurrent value to the right.
Each process, when receiving the first value from its left compares it to its current value. If same: this is the maximum. Tell others. Not same: send current value again to left.
![Page 21: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/21.jpg)
Continued
When receiving the second value: compare the three values received. These are values of the process itself. of the left active process. of the second active process on the left.
If the left active process has greatest value, then keep this value. Otherwise, become passive.
![Page 22: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/22.jpg)
7
2
312
9
4
3
2
9
7
4
12
![Page 23: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/23.jpg)
7
2
312
9
4
3, 7
2, 9
9, 4
7, 2
4, 12
12, 3
![Page 24: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/24.jpg)
7
2
312
9
4
3, 7
2, 9
9, 4
7, 2
4, 12
12, 3
![Page 25: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/25.jpg)
9
7
12
12, 7
7, 9
9, 12
![Page 26: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/26.jpg)
12
![Page 27: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/27.jpg)
send(1, my_number);state:=active;when
received(1,number) do
if state=active then if number!=max then send(2, number); neighbor:=number; else (max is
greatest, send to all processes); end if; else send(1,number); end if;end do;
when received(2,number) do
if state=active then if neighbor>number
and neighbor>max then
max:=neighbor; send(1, neighbor); else state:=passive; end if; else send(2, number); end if;end do;
![Page 28: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/28.jpg)
Now, translate into SPIN (Promela) code
![Page 29: The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial](https://reader036.vdocuments.us/reader036/viewer/2022062318/55160d87550346a2308b515d/html5/thumbnails/29.jpg)
Homework: check properties
There is never more than one maximal value found.
A maximal value is eventually found.
From the time a maximal value is found, we continue to have one maximal value.
There is no maximal value until a moment where there is one such value, and from there, there is exactly one value until the end.
The maximal value is always 5.