The SPIN System

1
The SPIN System
2
What is SPIN?

• Model-checker.
• Based on automata theory.
• Allows LTL or automata specification
• Efficient (on-the-fly model checking, partial
  order reduction).
• Developed in Bell Laboratories.

3
Documentation

• Paper The model checker SPIN,G.J. Holzmann,
  IEEE Transactions on Software Engineering, Vol
  23, 279-295.
• Web http//www.spinroot.com

4
The language of SPIN

• The expressions are from C.
• The communication is from CSP.
• The constructs are from Guarded Command.

5
Expressions

• Arithmetic , -, , /,
• Comparison gt, gt, lt, lt, , !
• Boolean , , !
• Assignment
• Increment/decrement , --

6
Declaration

• byte name1, name24, name3
• bit b1,b2,b3
• short s1,s2
• int arr15

7
Message types and channels

• mtype OK, READY, ACK
• mtype Mvar ACK
• chan Ng2 of byte, byte, mtype,
  Next0 of byteNg has a buffer of 2, each
  message consists of two bytes and an enumerable
  type (mtype).Next is used with handshake message
  passing.

8
Sending and receiving a message

• Channel declaration
• chan qname3 of mtype, byte, byte
• In sender
• qname!tag3(expr1, expr2)or equivalentlyqname!ta
  g3, expr1, expr2
• In Receiver
• qname?tag3(var1,var2)

9
Defining an array of channels

• Channel declaration
• chan qname3 of mtype, byte, bytedefines a
  channel with buffer size 3.
• chan comm50 of byte, bytedefines an array
  of channels (indexed 0 to 4. Communication is
  synchronous (handshaking), meaning that the
  sender waits for the receiver.

10
Condition

• if
• x21 -gt zzy x--
• x20 -gt yyy xx/2
• fi
• If more than one guard is enabled a
  nondeterministic choice.
• If no guard is enabled the process waits (until
  a guard becomes enabled).

11
Looping

• do
• xgty -gt xx-y
• ygtx -gt yy-x
• else break
• od
• Normal way to terminate a loop with break. (or
  goto).
• As in condition, we may have a nondeterministic
  loop or have to wait.

12
Processes

• Definition of a process
• proctype prname (byte Id chan Comm)
• statements
• Activation of a process
• run prname (7, Con1)

13
init process is the root of activating all others

• init statements
• init byte I0
• atomicdo
• Ilt10 -gt run prname(I, chanI)
  II1
• I10 -gt break
• od
• atomic allows performing several actions as one
  atomic step.

14
Exmaples of Mutual exclusion

• Reference
• A. Ben-Ari, Principles of Concurrent and
  Distributed Programs, Prentice-Hall 1990.

15
General structure

• loop
• Non_Critical_Section
• TRPre_Protocol
• CRCritical_Section
• Post_protocol
• end loop

• Propositions
• inCRi, inTRi.

16
Properties

• loop
• Non_Critical_Section
• TRPre_Protocol
• CRCritical_Section
• Post_protocol
• end loop

• Assumption
• ltgtinCRi
• Requirements
• (inCR0/\inCR1)
• (inTRi--gtltgtinCRi)
• Not assuming
• ltgtinTRi

17
Turnbit1
task P1 is begin loop Non_Critical_Sec
Wait Turn1 Critical_Sec
Turn0 end loop end P1.

• task P0 is
• begin
• loop
• Non_Critical_Sec
• Wait Turn0
• Critical_Sec
• Turn1
• end loop
• end P0.

18
Translating into SPIN

• define critical (incrit0 incrit1)
• byte turn0, incrit20
• proctype P (bool id)
• do
• 1 -gt
• do
• 1 -gt skip
• 1 -gt break
• od

• trydo
• turnid -gt break
• od
• crincritid1
• incritid0
• turn1-turn
• od
• init atomic
• run P(0) run P(1)

19
The leader election algorithm
A directed ring of computers. Each has a unique
value. Communication is from left to right. Find
out which value is the greatest.
20
Example
21
Informal description

• Initially, all the processes are active.
• A process that finds out it does not represent a
  value that can be maximal turns to be passive.
• A passive process just transfers values from left
  to right.

22
More description

• The algorithm executes in phases.
• In each phase, each process first sends
  itscurrent value to the right.
• Each process, when receiving the first value from
  its left compares it to its current value.
• If same this is the maximum. Tell others.
• Not same send current value again to left.

23
Continued

• When receiving the second value compare the
  three values received. These are values
• of the process itself.
• of the left active process.
• of the second active process on the left.
• If the left active process has greatest value
  among three, then keep this value. Otherwise,
  become passive.

24
(No Transcript)
25
9, 4
4, 12
2
9
2, 9
12, 3
7
4
7, 2
3
12
3, 7
26
9, 4
4, 12
2
9
2, 9
12, 3
7
4
7, 2
3
12
3, 7
27
9
12
7
28
(No Transcript)
29
12
30

• send(1, my_number)
• stateactive
• when received(1,number) do
• if stateactive then
• if number!max then
• send(2, number)
• neighbornumber
• else (max is greatest, send
• to all processes)
• end if
• else send(1,number)
• end if
• end do

• when received(2,number) do
• if stateactive then
• if neighborgtnumber and neighborgtmax then
• maxneighbor
• send(1, neighbor)
• else statepassive
• end if
• else send(2, number)
• end if
• end do

31
Now, translate into SPIN (Promela) code
32
Running SPIN

• Can download and implement (for free) using
  www.spinroot.com
• Available in our system.
• Graphical interface xspin

33
Homework check properties

• There is no maximal value until a moment where
  there is one such value, and from there, there is
  exactly one value until the end.
• The maximal value is always 5.

• There is never more than one maximal value found.
• A maximal value is eventually found.
• From the time a maximal value is found, we
  continue to have one maximal value.

34
Dekkers algorithm
boolean c1 initially 1 boolean c2 initially
1 integer (1..2) turn initially 1
P2while true do begin non-critical
section 2 c20 while c10 do
begin if turn1 then
begin c21 wait
until turn2 end end
critical section 2 c21 turn1 end.

• P1while true do begin non-critical
  section 1 c10 while c20 do
  begin if turn2 then
  begin c11 wait
  until turn1 end end
  critical section 1 c11 turn2 end.

35
Project

• Model in Spin
• Specify properties
• Do model checking
• Can this work without fairness?
• What to do with fairness?