1

I created a simple model in Spin in which two processes S send messages to another process R. Process R then sends responses to both processes. I would like to define the property "if process x sends a message, then process y eventually receives it", as shown below. The problem is that although the simulation is working as expected, verification is not. The property I defined at line 9 is always passing without errors although I injected a fault at line 17 that should make verification fail. Am I missing something here? 

1   byte r1PId;
2   byte s1PId;
3   byte s2PId;
4   
5   byte nextM = 1;
6   
7   chan toS[2] = [2] of {byte};
8   
9   ltl p1 {[] ((s[s1PId]:m > 0) -> <>(s[s1PId]:m == r:m))}
10  
11  proctype r(byte id; chan stoR)
12  {
13      do
14      :: true
15      byte c; byte m; byte m2;
16      stoR?c, m2;
17      m = 67; //should be m = m2
18  
19      byte response = 50;
20  
21      toS[c]!response;
22      od
23  }
24  
25  proctype s(byte id; chan rtoS; chan stoR)
26  {
27      byte m;
28      atomic
29      {
30          m = nextM;
31          nextM = nextM+1;
32      }
33      stoR!id, m;
34      byte response;
35      rtoS?response;  
36  }
37  
38  init{
39     chan toR = [10] of {byte, byte};
40     r1PId = run r(10, toR);
41     s1PId = run s(0, toS[0], toR);
42     s2PId = run s(1, toS[1], toR);
43  }
4

1 回答 1

0

似乎存在范围问题。当进程s终止时,其局部变量将超出范围。在这种情况下,参考s[s1PId]:m将是0.

另一方面,在 process 中r,变量m是在块内声明的。它被初始化为0每次之前stoR?c, m2。因此,引用r:m将始终0在收到消息两次之后。

所以,<>(s[s1PId]:m == r:m)永远都是true

要快速解决此问题,您可以 (i) 将声明移到byte m循环r外;或 (ii) 添加一个无限循环s以防止其终止。

于 2016-02-29T09:29:47.283 回答