Presentation is loading. Please wait.

Presentation is loading. Please wait.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

Published byDestiny Murray Modified over 10 years ago

Similar presentations

Presentation on theme: "The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial."— Presentation transcript:

1 The SPIN System

2 What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial order reduction). Developed in Bell Laboratories.

3 Documentation Paper: The model checker SPIN, G.J. Holzmann, IEEE Transactions on Software Engineering, Vol 23, 279-295. Web: http://netlib.belllabs.com/netlib/spin/ whatispin.html

4 The language of SPIN The expressions are from C. The communication is from CSP. The constructs are from Guarded Command.

5 Expressions Arithmetic: +, -, *, /, % Comparison: >, >=, <, <=, ==, != Boolean: &&, ||, ! Assignment: = Increment/decrement: ++, --

6 Declaration byte name1, name2=4, name3; bit b1,b2,b3; short s1,s2; int arr1[5];

7 Message types and channels mtype = {OK, READY, ACK} mtype Mvar = ACK chan Ng=[2] of {byte, byte, mtype}, Next=[0] of {byte}

8 Condition if :: x%2==1 -> z=z*y; x-- :: x%2==0 -> y=y*y; x=x/2 fi

9 Looping do :: x>y -> x=x-y :: y>x -> y=y-x :: else goto outside od; outside: …

10 Processes Proctype prname (byte Id; chan Comm) { statements } run prname (7, Con[1]); active [12] proctype prname (…) { … }

11 Init process init { statements } init {byte I=0; atomic{do ::I run prname(I, chan[I]); I=I+1 ::I=10 -> break od}}

12 Exmaples of Mutual exclusion Reference: A. Ben-Ari, Principles of Concurrent and Distributed Programs, Prentice-Hall 1990.

13 General structure loop Non_Critical_Section ; TR:Pre_Protocol; CR:Critical_Section; Post_protocol; end loop; Propositions: inCRi, inTRi.

14 Properties loop Non_Critical_Section ; TR:Pre_Protocol; CR:Critical_Section; Post_protocol; end loop; Assumption: ~<>[]inCRi Requirements: []~(inCR0/\inCR1) [](inTRi--><>inCRi) Not assuming: []<>inTRi

15 Turn:bit:=1; task P0 is begin loop Non_Critical_Sec; Wait Turn=0; Critical_Sec; Turn:=1; end loop end P0. task P1 is begin loop Non_Critical_Sec; Wait Turn=1; Critical_Sec; Turn:=0; end loop end P1.

16 Translating into SPIN #define critical (incrit[0] ||incrit[1]) byte turn=0, incrit[2]=0; proctype P (bool id) { do :: 1 -> do :: 1 -> skip :: 1 -> break od; try:do ::turn==id -> break od; cr:incrit[id]=1; incrit[id]=0; turn=1-turn od} init { atomic{ run P(0); run P(1) } }

17 The leader election algorithm A directed ring of computers. Each has a unique value. Communication is from left to right. Find out which value is the greatest.

18 Example 7 2 3 12 9 4

19 Informal description: Initially, all the processes are active. A process that finds out it does not represent a value that can be maximal turns to be passive. A passive process just transfers values from left to right.

20 More description The algorithm executes in phases. In each phase, each process first sends its current value to the right. Each process, when receiving the first value from its left compares it to its current value. If same: this is the maximum. Tell others. Not same: send current value again to left.

21 Continued When receiving the second value: compare the three values received. These are values of the process itself. of the left active process. of the second active process on the left. If the left active process has greatest value, then keep this value. Otherwise, become passive.

22 7 2 3 12 9 4 3 2 9 7 4

23 7 2 3 9 4 3, 7 2, 9 9, 4 7, 2 4, 12 12, 3

24 7 2 3 12 9 4 3, 7 2, 9 9, 4 7, 2 4, 12 12, 3

25 9 7 12 12, 7 7, 9 9, 12

26 12

27 send(1, my_number); state:=active; when received(1,number) do if state=active then if number!=max then send(2, number); neighbor:=number; else (max is greatest, send to all processes); end if; else send(1,number); end if; end do; when received(2,number) do if state=active then if neighbor>number and neighbor>max then max:=neighbor; send(1, neighbor); else state:=passive; end if; else send(2, number); end if; end do;

28 Now, translate into SPIN (Promela) code

29 Homework: check properties There is never more than one maximal value found. A maximal value is eventually found. From the time a maximal value is found, we continue to have one maximal value. There is no maximal value until a moment where there is one such value, and from there, there is exactly one value until the end. The maximal value is always 5.

Download ppt "The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial."

Similar presentations

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
1 Carnegie Mellon UniversitySPIN ExamplesFlavio Lerda Bug Catching15-398 SPIN Examples.

1 Carnegie Mellon UniversitySPIN ExamplesFlavio Lerda Bug Catching SPIN Examples.
CS542 Topics in Distributed Systems Diganta Goswami.

CS542 Topics in Distributed Systems Diganta Goswami.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
1 Chapter 2 Synchronization Algorithms and Concurrent Programming Gadi Taubenfeld © 2007 Synchronization Algorithms and Concurrent Programming Gadi Taubenfeld.

1 Chapter 2 Synchronization Algorithms and Concurrent Programming Gadi Taubenfeld © 2007 Synchronization Algorithms and Concurrent Programming Gadi Taubenfeld.
Multiprocessor Synchronization Algorithms (20225241) Lecturer: Danny Hendler The Mutual Exclusion problem.

Multiprocessor Synchronization Algorithms ( ) Lecturer: Danny Hendler The Mutual Exclusion problem.
© 2011 Carnegie Mellon University SPIN: Part 2 15-414/614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
Distributed Computing 2. Leader Election – ring network Shmuel Zaks ©

Distributed Computing 2. Leader Election – ring network Shmuel Zaks ©
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.

Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.
An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.

An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.
CIS 725 Guarded Command Notation. Programming language style notation Guarded actions en(a)  a en(a): guard of the action boolean condition or boolean.

CIS 725 Guarded Command Notation. Programming language style notation Guarded actions en(a)  a en(a): guard of the action boolean condition or boolean.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
SPIN Verification System The Model Checker SPIN By Gerard J. Holzmann Comp 587 – 12/2/09 Eduardo Borjas – Omer Azmon ☐ ☐

SPIN Verification System The Model Checker SPIN By Gerard J. Holzmann Comp 587 – 12/2/09 Eduardo Borjas – Omer Azmon ☐ ☐
The Spin Model Checker Promela Introduction 50374 Nguyen Tuan Duc 50378 Shogo Sawai.

The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.

Similar presentations

Ads by Google