1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
|
.TH SPIN 1
.SH NAME
spin - verification tool for models of concurrent systems
.SH SYNOPSIS
.B spin
.B -a
[
.B -m
]
[
.BI -P cpp
]
.I file
.PP
.B spin
[
.B -bglmprsv
]
[
.BI -n N
]
[
.BI -P cpp
]
.I file
.PP
.B spin
.B -c
[
.B -t
]
[
.BI -P cpp
]
.I file
.PP
.B spin
.B -d
[
.BI -P cpp
]
.I file
.PP
.B spin
.B -f
.I ltl
.PP
.B spin
.B -F
.I file
.PP
.B spin
.B -i
[
.B -bglmprsv
]
[
.BI -n N
]
[
.BI -P cpp
]
.I file
.PP
.B spin
.B -M
[
.B -t
]
[
.BI -P cpp
]
.I file
.PP
.B spin
.BR -t [ \fIN ]
[
.B -bglmprsv
]
[
.BI -j N
]
[
.BI -P cpp
]
.I file
.PP
.B spin
.B -V
.SH DESCRIPTION
.I Spin
is a tool for analyzing the logical consistency of
asynchronous systems, specifically distributed software
amd communication protocols.
A verification model of the system is first specified
in a guarded command language called
.IR Promela .
This specification language, described in the reference,
allows for the modeling of dynamic creation of
asynchronous processes,
nondeterministic case selection, loops, gotos, local and
global variables.
It also allows for a concise specification of logical
correctness requirements, including, but not restricted
to requirements expressed in linear temporal logic.
.PP
Given a Promela model stored in
.IR file ,
.I spin
can perform interactive, guided, or random simulations
of the system's execution.
It can also generate a C program that performs an exhaustive
or approximate verification of the correctness requirements
for the system.
.
.TP
.B -a
Generate a verifier (model checker) for the specification.
The output is written into a set of C files, named
.BR pan.[cbhmt] ,
that can be compiled
.RB ( "pcc pan.c" )
to produce an executable verifier.
The online
.I spin
manuals (see below) contain
the details on compilation and use of the verifiers.
.
.TP
.B -c
Produce an ASCII approximation of a message sequence
chart for a random or guided (when combined with
.BR -t )
simulation run. See also option
.BR -M .
.
.TP
.B -d
Produce symbol table information for the model specified in
.IR file .
For each Promela object this information includes the type, name and
number of elements (if declared as an array), the initial
value (if a data object) or size (if a message channel), the
scope (global or local), and whether the object is declared as
a variable or as a parameter. For message channels, the data types
of the message fields are listed.
For structure variables, the third field defines the
name of the structure declaration that contains the variable.
.
.TP
.BI -f " ltl"
Translate the LTL formula
.I ltl
into a
.I never
claim.
.br
This option reads a formula in LTL syntax from the second argument
and translates it into Promela syntax (a
.I never
claim, which is Promela's
equivalent of a Büchi Automaton).
The LTL operators are written:
.B []
(always),
.B <>
(eventually),
and
.B U
(strong until). There is no
.B X
(next) operator, to secure
compatibility with the partial order reduction rules that are
applied during the verification process.
If the formula contains spaces, it should be quoted to form a
single argument to the
.I spin
command.
.
.TP
.BI -F " file"
Translate the LTL formula stored in
.I file
into a
.I never
claim.
.br
This behaves identically to option
.B -f
but will read the formula from the
.I file
instead of from the command line.
The file should contain the formula as the first line. Any text
that follows this first line is ignored, so it can be used to
store comments or annotation on the formula.
(On some systems the quoting conventions of the shell complicate
the use of option
.BR -f .
Option
.B -F
is meant to solve those problems.)
.
.TP
.B -i
Perform an interactive simulation, prompting the user at
every execution step that requires a nondeterministic choice
to be made. The simulation proceeds without user intervention
when execution is deterministic.
.
.TP
.B -M
Produce a message sequence chart in Postscript form for a
random simulation or a guided simulation
(when combined with
.BR -t ),
for the model in
.IR file ,
and write the result into
.IR file.ps .
See also option
.BR -c .
.
.TP
.B -m
Changes the semantics of send events.
Ordinarily, a send action will be (blocked) if the
target message buffer is full.
With this option a message sent to a full buffer is lost.
.
.TP
.BI -n N
Set the seed for a random simulation to the integer value
.IR N .
There is no space between the
.B -n
and the integer
.IR N .
.
.TP
.B -t
Perform a guided simulation, following the error trail that
was produces by an earlier verification run, see the online manuals
for the details on verification.
.
.TP
.B -V
Prints the
.I spin
version number and exits.
.
.PP
With only a filename as an argument and no options,
.I spin
performs a random simulation of the model specified in
the file (standard input is the default if the filename is omitted).
If option
.B -i
is added, the simulation is
.IR interactive ,
or if option
.B -t
is added, the simulation is
.IR guided .
.PP
The simulation normally does not generate output, except what is generated
explicitly by the user within the model with
.I printf
statements, and some details about the final state that is
reached after the simulation completes.
The group of options
.B -bglmprsv
sets the desired level of information that the user wants
about a random, guided, or interactive simulation run.
Every line of output normally contains a reference to the source
line in the specification that generated it.
.
.TP
.B -b
Suppress the execution of
.I printf
statements within the model.
.TP
.B -g
Show at each time step the current value of global variables.
.TP
.B -l
In combination with option
.BR -p ,
show the current value of local variables of the process.
.TP
.B -p
Show at each simulation step which process changed state,
and what source statement was executed.
.TP
.B -r
Show all message-receive events, giving
the name and number of the receiving process
and the corresponding the source line number.
For each message parameter, show
the message type and the message channel number and name.
.TP
.B -s
Show all message-send events.
.TP
.B -v
Verbose mode, add some more detail, and generate more
hints and warnings about the model.
.SH SOURCE
.B /sys/src/cmd/spin
.SH SEE ALSO
.in +4
.ti -4
.BR http://spinroot.com :
.BR GettingStarted.pdf ,
.BR Roadmap.pdf ,
.BR Manual.pdf ,
.BR WhatsNew.pdf ,
.B Exercises.pdf
.br
.in -4
G.J. Holzmann,
.IR "Design and Validation of Computer Protocols" ,
Prentice Hall, 1991.
.br
—, `Design and validation of protocols: a tutorial,'
.IR "Computer Networks and ISDN Systems" ,
Vol. 25, No. 9, 1993, pp. 981-1017.
.br
—, `The model checker Spin,'
.IR "IEEE Trans. on SE" ,
Vol, 23, No. 5, May 1997.
|
