the spin system. what is spin? model-checker. based on automata theory. allows ltl or automata...
TRANSCRIPT
The SPIN System
What is SPIN?
Model-checker. Based on automata theory. Allows LTL or automata
specification Efficient (on-the-fly model
checking, partial order reduction). Developed in Bell Laboratories.
Documentation
Paper: The model checker SPIN,G.J. Holzmann, IEEE Transactions on Software Engineering, Vol 23, 279-295.
Web: http://netlib.belllabs.com/netlib/spin/whatispin.html
The language of SPIN
The expressions are from C. The communication is from CSP. The constructs are from Guarded
Command.
Expressions
Arithmetic: +, -, *, /, % Comparison: >, >=, <, <=, ==,
!= Boolean: &&, ||, ! Assignment: = Increment/decrement: ++, --
Declaration
byte name1, name2=4, name3; bit b1,b2,b3; short s1,s2; int arr1[5];
Message types and channels
mtype = {OK, READY, ACK} mtype Mvar = ACK
chan Ng=[2] of {byte, byte, mtype}, Next=[0] of {byte}
Condition
if:: x%2==1 -> z=z*y; x--:: x%2==0 -> y=y*y; x=x/2fi
Looping
do:: x>y -> x=x-y:: y>x -> y=y-x:: else goto outsideod;outside: …
Processes
Proctype prname (byte Id; chan Comm){ statements}run prname (7, Con[1]);
active [12] proctype prname (…) { … }
Init process
init { statements }init {byte I=0; atomic{do ::I<10 -> run prname(I, chan[I]);
I=I+1 ::I=10 -> break od}}
Exmaples of Mutual exclusion
Reference:A. Ben-Ari, Principles of Concurrent
and Distributed Programs, Prentice-Hall 1990.
General structure
loop
Non_Critical_Section;
TR:Pre_Protocol; CR:Critical_Section; Post_protocol;end loop;
Propositions:inCRi, inTRi.
Properties
loop
Non_Critical_Section;
TR:Pre_Protocol; CR:Critical_Section; Post_protocol;end loop;
Assumption:~<>[]inCRiRequirements:[]~(inCR0/\inCR1)[](inTRi--><>inCRi)Not assuming:[]<>inTRi
Turn:bit:=1;
task P0 is
begin
loop
Non_Critical_Sec;
Wait Turn=0;
Critical_Sec;
Turn:=1;
end loop
end P0.
task P1 is
begin
loop
Non_Critical_Sec;
Wait Turn=1;
Critical_Sec;
Turn:=0;
end loop
end P1.
Translating into SPIN
#define critical (incrit[0] ||incrit[1])
byte turn=0, incrit[2]=0;proctype P (bool id){ do :: 1 -> do :: 1 -> skip :: 1 -> break od;
try:do ::turn==id -> break od; cr:incrit[id]=1; incrit[id]=0; turn=1-turn od}init { atomic{ run P(0); run P(1) } }
The leader election algorithm
A directed ring of computers. Each has a unique value. Communication is from left to right.
Find out which value is the greatest.
Example
7
2
312
9
4
Informal description:
Initially, all the processes are active.
A process that finds out it does not represent a value that can be maximal turns to be passive.
A passive process just transfers values from left to right.
More description
The algorithm executes in phases. In each phase, each process first sends
itscurrent value to the right.
Each process, when receiving the first value from its left compares it to its current value. If same: this is the maximum. Tell others. Not same: send current value again to left.
Continued
When receiving the second value: compare the three values received. These are values of the process itself. of the left active process. of the second active process on the left.
If the left active process has greatest value, then keep this value. Otherwise, become passive.
7
2
312
9
4
3
2
9
7
4
12
7
2
312
9
4
3, 7
2, 9
9, 4
7, 2
4, 12
12, 3
7
2
312
9
4
3, 7
2, 9
9, 4
7, 2
4, 12
12, 3
9
7
12
12, 7
7, 9
9, 12
12
send(1, my_number);state:=active;when
received(1,number) do
if state=active then if number!=max then send(2, number); neighbor:=number; else (max is
greatest, send to all processes); end if; else send(1,number); end if;end do;
when received(2,number) do
if state=active then if neighbor>number
and neighbor>max then
max:=neighbor; send(1, neighbor); else state:=passive; end if; else send(2, number); end if;end do;
Now, translate into SPIN (Promela) code
Homework: check properties
There is never more than one maximal value found.
A maximal value is eventually found.
From the time a maximal value is found, we continue to have one maximal value.
There is no maximal value until a moment where there is one such value, and from there, there is exactly one value until the end.
The maximal value is always 5.