The SPIN System

What is SPIN?

Model-checker. Based on automata theory. Allows LTL or automata

specification Efficient (on-the-fly model

checking, partial order reduction). Developed in Bell Laboratories.

Documentation

Paper: The model checker SPIN,G.J. Holzmann, IEEE Transactions on Software Engineering, Vol 23, 279-295.

Web: http://netlib.belllabs.com/netlib/spin/whatispin.html

The language of SPIN

The expressions are from C. The communication is from CSP. The constructs are from Guarded

Command.

Expressions

Arithmetic: +, -, *, /, % Comparison: >, >=, <, <=, ==,

!= Boolean: &&, ||, ! Assignment: = Increment/decrement: ++, --

Declaration

byte name1, name2=4, name3; bit b1,b2,b3; short s1,s2; int arr1[5];

Message types and channels

mtype = {OK, READY, ACK} mtype Mvar = ACK

chan Ng=[2] of {byte, byte, mtype}, Next=[0] of {byte}

Condition

if:: x%2==1 -> z=z*y; x--:: x%2==0 -> y=y*y; x=x/2fi

Looping

do:: x>y -> x=x-y:: y>x -> y=y-x:: else goto outsideod;outside: …

Processes

Proctype prname (byte Id; chan Comm){ statements}run prname (7, Con[1]);

active [12] proctype prname (…) { … }

Init process

init { statements }init {byte I=0; atomic{do ::I<10 -> run prname(I, chan[I]);

I=I+1 ::I=10 -> break od}}

Exmaples of Mutual exclusion

Reference:A. Ben-Ari, Principles of Concurrent

and Distributed Programs, Prentice-Hall 1990.

General structure

loop

Non_Critical_Section;

TR:Pre_Protocol; CR:Critical_Section; Post_protocol;end loop;

Propositions:inCRi, inTRi.

Properties

loop

Non_Critical_Section;

TR:Pre_Protocol; CR:Critical_Section; Post_protocol;end loop;

Assumption:~<>[]inCRiRequirements:[]~(inCR0/\inCR1)[](inTRi--><>inCRi)Not assuming:[]<>inTRi

Turn:bit:=1;

task P0 is

begin

loop

Non_Critical_Sec;

Wait Turn=0;

Critical_Sec;

Turn:=1;

end loop

end P0.

task P1 is

begin

loop

Non_Critical_Sec;

Wait Turn=1;

Critical_Sec;

Turn:=0;

end loop

end P1.

Translating into SPIN

#define critical (incrit[0] ||incrit[1])

byte turn=0, incrit[2]=0;proctype P (bool id){ do :: 1 -> do :: 1 -> skip :: 1 -> break od;

try:do ::turn==id -> break od; cr:incrit[id]=1; incrit[id]=0; turn=1-turn od}init { atomic{ run P(0); run P(1) } }

The leader election algorithm

A directed ring of computers. Each has a unique value. Communication is from left to right.

Find out which value is the greatest.

Example

7

2

312

9

4

Informal description:

Initially, all the processes are active.

A process that finds out it does not represent a value that can be maximal turns to be passive.

A passive process just transfers values from left to right.

More description

The algorithm executes in phases. In each phase, each process first sends

itscurrent value to the right.

Each process, when receiving the first value from its left compares it to its current value. If same: this is the maximum. Tell others. Not same: send current value again to left.

Continued

When receiving the second value: compare the three values received. These are values of the process itself. of the left active process. of the second active process on the left.

If the left active process has greatest value, then keep this value. Otherwise, become passive.

7

2

312

9

4

3

2

9

7

4

12

7

2

312

9

4

3, 7

2, 9

9, 4

7, 2

4, 12

12, 3

7

2

312

9

4

3, 7

2, 9

9, 4

7, 2

4, 12

12, 3

9

7

12

12, 7

7, 9

9, 12

12

send(1, my_number);state:=active;when

received(1,number) do

if state=active then if number!=max then send(2, number); neighbor:=number; else (max is

greatest, send to all processes); end if; else send(1,number); end if;end do;

when received(2,number) do

if state=active then if neighbor>number

and neighbor>max then

max:=neighbor; send(1, neighbor); else state:=passive; end if; else send(2, number); end if;end do;

Now, translate into SPIN (Promela) code

Homework: check properties

There is never more than one maximal value found.

A maximal value is eventually found.

From the time a maximal value is found, we continue to have one maximal value.

There is no maximal value until a moment where there is one such value, and from there, there is exactly one value until the end.

The maximal value is always 5.