|
||||
University of Oregon
|
The alternating bit protocol. This set of papers is of mainly historical interest, but it is a "classic" and illustrates how the beginnings of protocol design and specification are tied up with the beginnings of finite-state verification methods.
Temporal logic model checking. When you get beyond tiny protocols like the alternating bit protocol, hand verification quickly breaks down. Several issues need to be addressed: How do we represent the system itself (the protocol or other concurrent system) in a way that is sufficiently expressive, concise, understandable, etc.; how do we (efficiently) explore or reason about the possible behaviors of the represented system; and how do we express and check the correctness properties that we want to verify. Temporal logic model checking primarily addresses the last question: Given a temporal logic formula expressing a desirable property of all behaviors of a system, and given a state-machine representation of those behaviors which has been computed in some (unspecified) way, determine whether every possible path through the state machine is consistent with the temporal logic formula.
Reading: Clarke, Emerson, Sistla, 1986. [pdf]
Spin is perhaps the most widely used model checker in academia and industry. It is an "explicit" model-checker that actually constructs a representation of reachable states, as versus a "symbolic" model checker that constructs a symbolic representation of the state space. It keeps a minimal amount of information for visited states (just a single bit in a big hash table, when the "supertrace" option is used), with more information for states on the path from the root to the current state (i.e., on the search stack). Instead of the branching time temporal logic described in the CES 86 paper, Spin checks linear-time temporal logic, which it represents using a Buchi automaton. The state-space Spin explores is really a kind of product of the model state-space and the checking automaton state-space.
Reading: The Model Checker Spin, Gerard Holzmann.
Exercise: Parking Garage
Tools: There is a copy of Spin in /cs/classes/cis607swe/tools on the departmental machines. You might prefer to install a personal copy. Spin will run under Unix including Solaris and Linux, and under Windows 95, 98, or NT, andcan be downloaded free. Unix installation is fairly simple; I have heard that Windows installation is not so easy, but I haven't tried it myself. (You might be able to compile for MacOS X if you also have Tcl/Tk for the GUI.)
You will need GCC or a compatible C compiler to run Spin (even if you install the pre-compiled version). For speed, Spin actually compiles your model into C code, then compiles the C code and runs it.