SPIN(1) SPIN(1)
NAME
spin - verification tool for concurrent systems
SYNOPSIS
spin [ -nN ] [ -plgrsmv ] [ -iat ] [ -DV ] [ file ]
DESCRIPTION
Spin is a tool for analyzing the logical consistency of con-
current systems, specifically communication protocols. The
system is specified in a guarded command language called
PROMELA2. The language, described in the references, allows
for the dynamic creation of processes, nondeterministic case
selection, loops, gotos, variables, and the specification of
correctness requirements. The tool has fast algorithms for
analyzing arbitrary liveness and safety conditions.
Given a model system specified in PROMELA2, spin can perform
interactive, guided, or random simulations of the system's
execution or it can generate a C program that performs an
exhaustive or approximate verification of the system. The
verifier can check, for instance, if user specified system
invariants are violated during a protocol's execution, or if
non-progress execution cycles exist.
Without any options the program performs a random simulation
of the system defined in the input file, default standard
input. The option -nN sets the random seed to the integer
value N.
The group of options -pglmrsv is used to set the level of
information reported about the simulation run. Every line
of output normally contains a reference to the source line
in the specification that caused it.
p Show at each time step which process changed state and
what source statement was executed.
l In combination with option p, show the current value of
local variables of the process.
g Show the value of global variables at each time step.
r Show all message-receive events, giving the name and
number of the receiving process and the corresponding
source line number. For each message parameter, show
the message type and the message channel number and
name.
s Show all message-send events.
SPIN(1) SPIN(1)
m Ordinarily, a send action will be delayed if the target
message buffer if full. With this option a message
sent to a full buffer is lost. The option can be com-
bined with -a (see below).
v Verbose mode: add extra detail and include more warn-
ings.
i Perform an interactive simulation.
a Generate a protocol-specific verifier. The output is
written into a set of C files, named pan.[cbhmt], that
can be compiled (cc pan.c) to produce an executable
verifier. Systems that require more memory than avail-
able on the target machine can still be analyzed by
compiling the verifier with a bit state space:
cc -DBITSTATE pan.c
This collapses the state space to 1 bit per system
state, with minimal side-effects. Partial order reduc-
tion rules take effect during the verification if the
compiler directive -DREDUCE is used.
The compiled verifiers have their own sets of options,
which can be seen by running them with option -?.
t If the verifier finds a violation of a correctness
property, it writes an error trail. The trail can be
inspected in detail by invoking spin with the -t
option. In combination with the options pglrsv, dif-
ferent views of the error sequence are then be
obtained.
D Perform a static dataflow analysis.
V Print the version number and exit.
SEE ALSO
G.J. Holzmann, Design and Validation of Computer Protocols,
Prentice Hall, 1991.
-, ``Using SPIN''.