The SPIN System

What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial order reduction). Developed in Bell Laboratories.

Documentation Paper: The model checker SPIN, G.J. Holzmann, IEEE Transactions on Software Engineering, Vol 23, Web: whatispin.html

The language of SPIN The expressions are from C. The communication is from CSP. The constructs are from Guarded Command.

Expressions Arithmetic: +, -, *, /, % Comparison: >, >=, <, <=, ==, != Boolean: &&, ||, ! Assignment: = Increment/decrement: ++, --

Declaration byte name1, name2=4, name3; bit b1,b2,b3; short s1,s2; int arr1[5];

Message types and channels mtype = {OK, READY, ACK} mtype Mvar = ACK chan Ng=[2] of {byte, byte, mtype}, Next=[0] of {byte}

Condition if :: x%2==1 -> z=z*y; x-- :: x%2==0 -> y=y*y; x=x/2 fi

Looping do :: x>y -> x=x-y :: y>x -> y=y-x :: else goto outside od; outside: …

Processes Proctype prname (byte Id; chan Comm) { statements } run prname (7, Con[1]); active [12] proctype prname (…) { … }

Init process init { statements } init {byte I=0; atomic{do ::I run prname(I, chan[I]); I=I+1 ::I=10 -> break od}}

Exmaples of Mutual exclusion Reference: A. Ben-Ari, Principles of Concurrent and Distributed Programs, Prentice-Hall 1990.

General structure loop Non_Critical_Section ; TR:Pre_Protocol; CR:Critical_Section; Post_protocol; end loop; Propositions: inCRi, inTRi.

Properties loop Non_Critical_Section ; TR:Pre_Protocol; CR:Critical_Section; Post_protocol; end loop; Assumption: ~<>[]inCRi Requirements: []~(inCR0/\inCR1) [](inTRi--><>inCRi) Not assuming: []<>inTRi

Turn:bit:=1; task P0 is begin loop Non_Critical_Sec; Wait Turn=0; Critical_Sec; Turn:=1; end loop end P0. task P1 is begin loop Non_Critical_Sec; Wait Turn=1; Critical_Sec; Turn:=0; end loop end P1.

Translating into SPIN #define critical (incrit[0] ||incrit[1]) byte turn=0, incrit[2]=0; proctype P (bool id) { do :: 1 -> do :: 1 -> skip :: 1 -> break od; try:do ::turn==id -> break od; cr:incrit[id]=1; incrit[id]=0; turn=1-turn od} init { atomic{ run P(0); run P(1) } }

The leader election algorithm A directed ring of computers. Each has a unique value. Communication is from left to right. Find out which value is the greatest.

Example

Informal description: Initially, all the processes are active. A process that finds out it does not represent a value that can be maximal turns to be passive. A passive process just transfers values from left to right.

More description The algorithm executes in phases. In each phase, each process first sends its current value to the right. Each process, when receiving the first value from its left compares it to its current value. If same: this is the maximum. Tell others. Not same: send current value again to left.

Continued When receiving the second value: compare the three values received. These are values of the process itself. of the left active process. of the second active process on the left. If the left active process has greatest value, then keep this value. Otherwise, become passive.

, 7 2, 9 9, 4 7, 2 4, 12 12, 3

, 7 2, 9 9, 4 7, 2 4, 12 12, 3

, 7 7, 9 9, 12

12

send(1, my_number); state:=active; when received(1,number) do if state=active then if number!=max then send(2, number); neighbor:=number; else (max is greatest, send to all processes); end if; else send(1,number); end if; end do; when received(2,number) do if state=active then if neighbor>number and neighbor>max then max:=neighbor; send(1, neighbor); else state:=passive; end if; else send(2, number); end if; end do;

Now, translate into SPIN (Promela) code

Homework: check properties There is never more than one maximal value found. A maximal value is eventually found. From the time a maximal value is found, we continue to have one maximal value. There is no maximal value until a moment where there is one such value, and from there, there is exactly one value until the end. The maximal value is always 5.