Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 842: Specification and Verification of Reactive Systems Lecture SPIN-Soldiers: Soldiers Case Study Copyright 2001-2002, Matt Dwyer, John Hatcliff,

Published byCurtis Archibald McDonald Modified over 9 years ago

Similar presentations

Presentation on theme: "CIS 842: Specification and Verification of Reactive Systems Lecture SPIN-Soldiers: Soldiers Case Study Copyright 2001-2002, Matt Dwyer, John Hatcliff,"— Presentation transcript:

1 CIS 842: Specification and Verification of Reactive Systems Lecture SPIN-Soldiers: Soldiers Case Study Copyright 2001-2002, Matt Dwyer, John Hatcliff, Robby. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course settings outside of Kansas State University in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders.

2 SPIN-Soldiers: Soldiers Case Study 2 Objectives Review the basic constructs of Promela by carrying out a simply modeling problem

3 SPIN-Soldiers: Soldiers Case Study 3 Outline Statement of problem Processes Basic data types and expressions Commands Communication primitives

4 SPIN-Soldiers: Soldiers Case Study 4 Problem Statement Unsafe SideSafe Side <= 2 pers mines 5102025 <= 60 min?

5 SPIN-Soldiers: Soldiers Case Study 5 Problem Statement Four soldiers who are heavily injured, try to flee their home land. The enemy is chasing them and in the middle of the night they arrive at a bridge that spans a river which is the border between the two countries at war. The bridge has been damaged and can only carry two soldiers at a time. Furthermore, several land-mines have been placed on the bridge and a torch is needed to sidestep all the mines. The enemy is on their trail, so the soldiers know that they have only 60 minutes to cross the bridge. The soldiers only have a single torch and they are not equally injured. The following table lists the crossing times (one-way!) for each of the soldiers: soldier S0 5 minutes soldier S1 10 minutes soldier S2 20 minutes soldier S3 25 minutes Does a schedule exist which gets all four soldiers to the safe side within 60 minutes? Hint: Before proceeding, it may be instructive to solve the soldiers problem on paper before proceeding. (Ruys & Brinksma 1998)

6 SPIN-Soldiers: Soldiers Case Study 6 For You To Do… Pause the lecture… Try to solve the soldiers problem on paper before proceeding.

7 SPIN-Soldiers: Soldiers Case Study 7 Assessment Even though the problem statement suggests a strong connection to “time”, we don’t need a special notion of “clock” or a real-time model- checker to model this problem. In essence, this is a scheduling/planning problem, and we will be taking advantage of the fact that a model-checker explores all possible orders of instruction interleavings. Thus, we can easily have the model-checker construct all the different orderings for moving soldiers across the bridge.

8 SPIN-Soldiers: Soldiers Case Study 8 Modeling: Basic Ideas There is communication of soldiers between two components: unsafe side and safe side Unsafe Side Safe Side proctype Unsafe()proctype Safe()

9 SPIN-Soldiers: Soldiers Case Study 9 Modeling: Basic Ideas There is communication of soldiers between two components: unsafe side and safe side Unsafe Side Safe Side proctype Unsafe()proctype Safe() 0 1 2 3 here 0 1 2 3

10 SPIN-Soldiers: Soldiers Case Study 10 Modeling: Basic Ideas There is communication of soldiers between two components: unsafe side and safe side Unsafe Side Safe Side proctype Unsafe()proctype Safe() chan unsafe_to_safe = [0] of {soldier, soldier} ; chan safe_to_unsafe = [0] of {soldier} ; 0 1 2 3 here 0 1 2 3

11 SPIN-Soldiers: Soldiers Case Study 11 Modeling: Basic Ideas There is communication of soldiers between two components: unsafe side and safe side Unsafe Side Safe Side proctype Unsafe()proctype Safe() It’s clear that you want to send two soldiers over but only one soldier back (this tells us what types to give to the channels above). chan unsafe_to_safe = [0] of {soldier, soldier} ; chan safe_to_unsafe = [0] of {soldier} ; No need to buffer messages because you can never have more than one “package” of soldiers on bridge at a time (so channel size is 0). 0 1 2 3 here 0 1 2 3

12 SPIN-Soldiers: Soldiers Case Study 12 Sides as Processes proctype Unsafe() { bit here[N] ; soldier s1, s2 ; here[0] = 1 ; here[1] = 1 ; here[2] = 1 ; here[3] = 1 ; do :: select_soldier(s1) ; select_soldier(s2) ; unsafe_to_safe ! s1, s2 ; IF all_gone -> break FI ; safe_to_unsafe ? s1 ; here[s1] = 1 ; stopwatch ! s1 ; od } proctype Safe() { bit here[N] ; soldier s1, s2 ; do :: unsafe_to_safe ? s1, s2 ; here[s1] = 1 ; here[s2] = 1 ; stopwatch ! max(s1, s2) ; IF all_here -> break FI ; select_soldier(s1) ; safe_to_unsafe ! s1 od }

13 SPIN-Soldiers: Soldiers Case Study 13 Sides as Processes proctype Unsafe() { bit here[N] ; soldier s1, s2 ; here[0] = 1 ; here[1] = 1 ; here[2] = 1 ; here[3] = 1 ; do :: select_soldier(s1) ; select_soldier(s2) ; unsafe_to_safe ! s1, s2 ; IF all_gone -> break FI ; safe_to_unsafe ? s1 ; here[s1] = 1 ; stopwatch ! s1 ; od } proctype Safe() { bit here[N] ; soldier s1, s2 ; do :: unsafe_to_safe ? s1, s2 ; here[s1] = 1 ; here[s2] = 1 ; stopwatch ! max(s1, s2) ; IF all_here -> break FI ; select_soldier(s1) ; safe_to_unsafe ! s1 od } Soldiers start on unsafe side.

14 SPIN-Soldiers: Soldiers Case Study 14 Sides as Processes proctype Unsafe() { bit here[N] ; soldier s1, s2 ; here[0] = 1 ; here[1] = 1 ; here[2] = 1 ; here[3] = 1 ; do :: select_soldier(s1) ; select_soldier(s2) ; unsafe_to_safe ! s1, s2 ; IF all_gone -> break FI ; safe_to_unsafe ? s1 ; here[s1] = 1 ; stopwatch ! s1 ; od } proctype Safe() { bit here[N] ; soldier s1, s2 ; do :: unsafe_to_safe ? s1, s2 ; here[s1] = 1 ; here[s2] = 1 ; stopwatch ! max(s1, s2) ; IF all_here -> break FI ; select_soldier(s1) ; safe_to_unsafe ! s1 od } Non-deterministically choose two soldiers to cross, and mark them as not “here”.

15 SPIN-Soldiers: Soldiers Case Study 15 Sides as Processes proctype Unsafe() { bit here[N] ; soldier s1, s2 ; here[0] = 1 ; here[1] = 1 ; here[2] = 1 ; here[3] = 1 ; do :: select_soldier(s1) ; select_soldier(s2) ; unsafe_to_safe ! s1, s2 ; IF all_gone -> break FI ; safe_to_unsafe ? s1 ; here[s1] = 1 ; stopwatch ! s1 ; od } proctype Safe() { bit here[N] ; soldier s1, s2 ; do :: unsafe_to_safe ? s1, s2 ; here[s1] = 1 ; here[s2] = 1 ; stopwatch ! max(s1, s2) ; IF all_here -> break FI ; select_soldier(s1) ; safe_to_unsafe ! s1 od } Send chosen soldiers across bridge.

16 SPIN-Soldiers: Soldiers Case Study 16 Sides as Processes proctype Unsafe() { bit here[N] ; soldier s1, s2 ; here[0] = 1 ; here[1] = 1 ; here[2] = 1 ; here[3] = 1 ; do :: select_soldier(s1) ; select_soldier(s2) ; unsafe_to_safe ! s1, s2 ; IF all_gone -> break FI ; safe_to_unsafe ? s1 ; here[s1] = 1 ; stopwatch ! s1 ; od } proctype Safe() { bit here[N] ; soldier s1, s2 ; do :: unsafe_to_safe ? s1, s2 ; here[s1] = 1 ; here[s2] = 1 ; stopwatch ! max(s1, s2) ; IF all_here -> break FI ; select_soldier(s1) ; safe_to_unsafe ! s1 od } Exit if all soldiers are gone.

17 SPIN-Soldiers: Soldiers Case Study 17 Sides as Processes proctype Unsafe() { bit here[N] ; soldier s1, s2 ; here[0] = 1 ; here[1] = 1 ; here[2] = 1 ; here[3] = 1 ; do :: select_soldier(s1) ; select_soldier(s2) ; unsafe_to_safe ! s1, s2 ; IF all_gone -> break FI ; safe_to_unsafe ? s1 ; here[s1] = 1 ; stopwatch ! s1 ; od } proctype Safe() { bit here[N] ; soldier s1, s2 ; do :: unsafe_to_safe ? s1, s2 ; here[s1] = 1 ; here[s2] = 1 ; stopwatch ! max(s1, s2) ; IF all_here -> break FI ; select_soldier(s1) ; safe_to_unsafe ! s1 od } Receive soldiers from safe side.

18 SPIN-Soldiers: Soldiers Case Study 18 Sides as Processes proctype Unsafe() { bit here[N] ; soldier s1, s2 ; here[0] = 1 ; here[1] = 1 ; here[2] = 1 ; here[3] = 1 ; do :: select_soldier(s1) ; select_soldier(s2) ; unsafe_to_safe ! s1, s2 ; IF all_gone -> break FI ; safe_to_unsafe ? s1 ; here[s1] = 1 ; stopwatch ! s1 ; od } proctype Safe() { bit here[N] ; soldier s1, s2 ; do :: unsafe_to_safe ? s1, s2 ; here[s1] = 1 ; here[s2] = 1 ; stopwatch ! max(s1, s2) ; IF all_here -> break FI ; select_soldier(s1) ; safe_to_unsafe ! s1 od } Mark soldiers as “here”

19 SPIN-Soldiers: Soldiers Case Study 19 Sides as Processes proctype Unsafe() { bit here[N] ; soldier s1, s2 ; here[0] = 1 ; here[1] = 1 ; here[2] = 1 ; here[3] = 1 ; do :: select_soldier(s1) ; select_soldier(s2) ; unsafe_to_safe ! s1, s2 ; IF all_gone -> break FI ; safe_to_unsafe ? s1 ; here[s1] = 1 ; stopwatch ! s1 ; od } proctype Safe() { bit here[N] ; soldier s1, s2 ; do :: unsafe_to_safe ? s1, s2 ; here[s1] = 1 ; here[s2] = 1 ; stopwatch ! max(s1, s2) ; IF all_here -> break FI ; select_soldier(s1) ; safe_to_unsafe ! s1 od } Advance stopwatch by time associated with slowest (highest #) soldier.

20 SPIN-Soldiers: Soldiers Case Study 20 Sides as Processes proctype Unsafe() { bit here[N] ; soldier s1, s2 ; here[0] = 1 ; here[1] = 1 ; here[2] = 1 ; here[3] = 1 ; do :: select_soldier(s1) ; select_soldier(s2) ; unsafe_to_safe ! s1, s2 ; IF all_gone -> break FI ; safe_to_unsafe ? s1 ; here[s1] = 1 ; stopwatch ! s1 ; od } proctype Safe() { bit here[N] ; soldier s1, s2 ; do :: unsafe_to_safe ? s1, s2 ; here[s1] = 1 ; here[s2] = 1 ; stopwatch ! max(s1, s2) ; IF all_here -> break FI ; select_soldier(s1) ; safe_to_unsafe ! s1 od } Exit if all soldiers here.

21 SPIN-Soldiers: Soldiers Case Study 21 Sides as Processes proctype Unsafe() { bit here[N] ; soldier s1, s2 ; here[0] = 1 ; here[1] = 1 ; here[2] = 1 ; here[3] = 1 ; do :: select_soldier(s1) ; select_soldier(s2) ; unsafe_to_safe ! s1, s2 ; IF all_gone -> break FI ; safe_to_unsafe ? s1 ; here[s1] = 1 ; stopwatch ! s1 ; od } proctype Safe() { bit here[N] ; soldier s1, s2 ; do :: unsafe_to_safe ? s1, s2 ; here[s1] = 1 ; here[s2] = 1 ; stopwatch ! max(s1, s2) ; IF all_here -> break FI ; select_soldier(s1) ; safe_to_unsafe ! s1 od } Non-deterministically select from soldiers here to return to other side, and mark soldier as not here.

22 SPIN-Soldiers: Soldiers Case Study 22 Sides as Processes proctype Unsafe() { bit here[N] ; soldier s1, s2 ; here[0] = 1 ; here[1] = 1 ; here[2] = 1 ; here[3] = 1 ; do :: select_soldier(s1) ; select_soldier(s2) ; unsafe_to_safe ! s1, s2 ; IF all_gone -> break FI ; safe_to_unsafe ? s1 ; here[s1] = 1 ; stopwatch ! s1 ; od } proctype Safe() { bit here[N] ; soldier s1, s2 ; do :: unsafe_to_safe ? s1, s2 ; here[s1] = 1 ; here[s2] = 1 ; stopwatch ! max(s1, s2) ; IF all_here -> break FI ; select_soldier(s1) ; safe_to_unsafe ! s1 od } Send soldier back to unsafe side.

23 SPIN-Soldiers: Soldiers Case Study 23 Sides as Processes proctype Unsafe() { bit here[N] ; soldier s1, s2 ; here[0] = 1 ; here[1] = 1 ; here[2] = 1 ; here[3] = 1 ; do :: select_soldier(s1) ; select_soldier(s2) ; unsafe_to_safe ! s1, s2 ; IF all_gone -> break FI ; safe_to_unsafe ? s1 ; here[s1] = 1 ; stopwatch ! s1 ; od } proctype Safe() { bit here[N] ; soldier s1, s2 ; do :: unsafe_to_safe ? s1, s2 ; here[s1] = 1 ; here[s2] = 1 ; stopwatch ! max(s1, s2) ; IF all_here -> break FI ; select_soldier(s1) ; safe_to_unsafe ! s1 od } Receive soldier from unsafe side.

24 SPIN-Soldiers: Soldiers Case Study 24 Sides as Processes proctype Unsafe() { bit here[N] ; soldier s1, s2 ; here[0] = 1 ; here[1] = 1 ; here[2] = 1 ; here[3] = 1 ; do :: select_soldier(s1) ; select_soldier(s2) ; unsafe_to_safe ! s1, s2 ; IF all_gone -> break FI ; safe_to_unsafe ? s1 ; here[s1] = 1 ; stopwatch ! s1 ; od } proctype Safe() { bit here[N] ; soldier s1, s2 ; do :: unsafe_to_safe ? s1, s2 ; here[s1] = 1 ; here[s2] = 1 ; stopwatch ! max(s1, s2) ; IF all_here -> break FI ; select_soldier(s1) ; safe_to_unsafe ! s1 od } Mark received soldier as “here”

25 SPIN-Soldiers: Soldiers Case Study 25 Sides as Processes proctype Unsafe() { bit here[N] ; soldier s1, s2 ; here[0] = 1 ; here[1] = 1 ; here[2] = 1 ; here[3] = 1 ; do :: select_soldier(s1) ; select_soldier(s2) ; unsafe_to_safe ! s1, s2 ; IF all_gone -> break FI ; safe_to_unsafe ? s1 ; here[s1] = 1 ; stopwatch ! s1 ; od } proctype Safe() { bit here[N] ; soldier s1, s2 ; do :: unsafe_to_safe ? s1, s2 ; here[s1] = 1 ; here[s2] = 1 ; stopwatch ! max(s1, s2) ; IF all_here -> break FI ; select_soldier(s1) ; safe_to_unsafe ! s1 od } Advance stopwatch with time associated with received soldier.

26 SPIN-Soldiers: Soldiers Case Study 26 Soldier Booking #define N 4 #define soldier byte #define select_soldier(x) \ if \ :: here[0] -> x=0 \ :: here[1] -> x=1 \ :: here[2] -> x=2 \ :: here[3] -> x=3 \ fi ; \ here[x] = 0 #define all_gone (!here[0] && !here[1] && !here[2] && !here[3]) #define all_here (here[0] && here[1] && here[2] && here[3]) Non-deterministically select a soldier that is here and assign the soldier’s # to x. Then mark soldier as “not here”.

27 SPIN-Soldiers: Soldiers Case Study 27 Soldier Bookkeeping #define N 4 #define soldier byte #define select_soldier(x) \ if \ :: here[0] -> x=0 \ :: here[1] -> x=1 \ :: here[2] -> x=2 \ :: here[3] -> x=3 \ fi ; \ here[x] = 0 #define all_gone (!here[0] && !here[1] && !here[2] && !here[3]) #define all_here (here[0] && here[1] && here[2] && here[3]) Test for “all here” or “all gone”

28 SPIN-Soldiers: Soldiers Case Study 28 Miscellaneous Macros #define MSCTIME printf("MSC: %d\n", time) #define IF if :: #define FI :: else fi #define max(x,y) ((x>y) -> x : y) Used to display times in message sequence chart

29 SPIN-Soldiers: Soldiers Case Study 29 Miscellaneous Macros #define MSCTIME printf("MSC: %d\n", time) #define IF if :: #define FI :: else fi #define max(x,y) ((x>y) -> x : y) Handy for simple conditionals with no “else”

30 SPIN-Soldiers: Soldiers Case Study 30 Miscellaneous Macros #define MSCTIME printf("MSC: %d\n", time) #define IF if :: #define FI :: else fi #define max(x,y) ((x>y) -> x : y) Implement MAX function

31 SPIN-Soldiers: Soldiers Case Study 31 Timer Process proctype Timer() { end: do :: stopwatch ? 0 -> atomic { time=time+5 ; MSCTIME } :: stopwatch ? 1 -> atomic { time=time+10 ; MSCTIME } :: stopwatch ? 2 -> atomic { time=time+20 ; MSCTIME } :: stopwatch ? 3 -> atomic { time=time+25 ; MSCTIME } od } Note: the reason that we might have a separate process to increment these timing values is because we don’t want to duplicate the code in both the safe and unsafe processes. SPIN does not have functions/procedures so one can only “factor out” code by (a) using a macro, (b) implementing the functionality in a separate process and passing parameters to it using a channel (e.g., stopwatch above).

32 SPIN-Soldiers: Soldiers Case Study 32 Timer Process proctype Timer() { end: do :: stopwatch ? 0 -> atomic { time=time+5 ; MSCTIME } :: stopwatch ? 1 -> atomic { time=time+10 ; MSCTIME } :: stopwatch ? 2 -> atomic { time=time+20 ; MSCTIME } :: stopwatch ? 3 -> atomic { time=time+25 ; MSCTIME } od } Note: the reason that we might have a separate process to increment these timing values is because we don’t want to duplicate the code in both the safe and unsafe processes. SPIN does not have functions/procedures so one can only “factor out” code by (a) using a macro, (b) implementing the functionality in a separate process and passing parameters to it using a channel (e.g., stopwatch above). Unique ID of soldier Increment clock by “time weight” associated with soldier.

33 SPIN-Soldiers: Soldiers Case Study 33 Timer Process proctype Timer() { end: do :: stopwatch ? 0 -> atomic { time=time+5 ; MSCTIME } :: stopwatch ? 1 -> atomic { time=time+10 ; MSCTIME } :: stopwatch ? 2 -> atomic { time=time+20 ; MSCTIME } :: stopwatch ? 3 -> atomic { time=time+25 ; MSCTIME } od } Note: the reason that we might have a separate process to increment these timing values is because we don’t want to duplicate the code in both the safe and unsafe processes. SPIN does not have functions/procedures so one can only “factor out” code by (a) using a macro, (b) implementing the functionality in a separate process and passing parameters to it using a channel (e.g., stopwatch above). “end” label signifies that the state at the beginning of the do-loop is a valid end-state.

34 SPIN-Soldiers: Soldiers Case Study 34 For You To Do… Pause the lecture… Run SPIN in simulation mode to step through a complete schedule of soldiers crossing the bridge. Now let’s consider an exhaustive verification with SPIN -- how can you get SPIN to search and display a schedule that allows the soldiers to move to the safe side in 60 minutes or less?

35 SPIN-Soldiers: Soldiers Case Study 35 Finding A Solution We would like to get SPIN to generate a trace for us that illustrates a schedule where the soldiers can get from the unsafe to the safe side in 60 minutes or less. SPIN generates counter-example or property-violation traces. Therefore, we need to ask SPIN to try to prove that a schedule does not exist. If it finds a counterexample, it will illustrate a schedule that’s a solution to the soldiers problem. Using Linear Temporal Logic, we can formalize the desired property directly (as illustrated on the next slide). One can also get SPIN to generate an appropriate trace using an assertion.

36 SPIN-Soldiers: Soldiers Case Study 36 Temporal Property Eventually, the variable time has a value greater than 60. <>(time > 60) …is expressed in Linear Temporal Logic as…

37 SPIN-Soldiers: Soldiers Case Study 37 SPIN Steps Define the predicate time > 60 in soldiers.prom file #define outoftime time > 60 Put the negation of the desired LTL property in soldiers.ltl (!<>(outoftime)) Run SPIN to create a verifier based on the property spin –a –F soldiers.ltl soldiers.prom Compile gcc –o pan.exe pan.c Run with command-line option (-a) specifying that a liveness property is being checked pan.exe –a Display error trail as message sequence chart (creates soldiers.ps ) spin –t –M soldiers.prom

38 SPIN-Soldiers: Soldiers Case Study 38 Message Sequence Chart Soldiers 0,1  Safe Total time: 10min Soldiers 0  Unsafe Total time: 15min Soldiers 2,3  Safe Total time: 40min Soldiers 1  Unsafe Total time: 50min Soldiers 0,1  Safe Total time: 60min spin –t –M soldiers.prom

39 SPIN-Soldiers: Soldiers Case Study 39 For You To Do… Pause the lecture… Download the file soldiers.prom from the web page and carry out the steps described on the previous two slides. An appropriate schedule can also be generated using an assertion, but you will probably have to tweak the model in soldiers.prom slightly. Generate an appropriate schedule using an assertion.

40 SPIN-Soldiers: Soldiers Case Study 40 Acknowledgements The Soldiers Problem description and solution is taken from a paper by Ruys and Brinksma at the TACAS 1998 (Lecture Notes in Computer Science 1384). Thanks to Theo Ruys for the Promela source code.

Download ppt "CIS 842: Specification and Verification of Reactive Systems Lecture SPIN-Soldiers: Soldiers Case Study Copyright 2001-2002, Matt Dwyer, John Hatcliff,"

Similar presentations

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
Scientific Enquiry, Scientific Process or Problem Solving?

Scientific Enquiry, Scientific Process or Problem Solving?
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Formalization of Health Information Portability and Accountability Act (HIPAA) Simon Berring, Navya Rehani, Dina Thomas.

Formalization of Health Information Portability and Accountability Act (HIPAA) Simon Berring, Navya Rehani, Dina Thomas.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.

Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
The Design Process - An Overview

The Design Process - An Overview
The Spin Model Checker Promela Introduction 50374 Nguyen Tuan Duc 50378 Shogo Sawai.

The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
© Janice Regan, CMPT 102, Sept. 2006 0 CMPT 102 Introduction to Scientific Computer Programming The software development method algorithms.

© Janice Regan, CMPT 102, Sept CMPT 102 Introduction to Scientific Computer Programming The software development method algorithms.
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 4: Specifications.

Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 4: Specifications.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
Algorithms and Problem Solving. Learn about problem solving skills Explore the algorithmic approach for problem solving Learn about algorithm development.

Algorithms and Problem Solving. Learn about problem solving skills Explore the algorithmic approach for problem solving Learn about algorithm development.
Automating Checking of Models Built Using a Graphically Based Formal Language Robert John Walters.

Automating Checking of Models Built Using a Graphically Based Formal Language Robert John Walters.

Similar presentations

Ads by Google