Abstract—SPIN is an efficient verification system for models of distributed software systems. It has been used to detect design errors in applications ranging from high-level descriptions of distributed algorithms to detailed code for controlling telephone exchanges. This paper gives an overview of the design and structure of the verifier, reviews its theoretical foundation, and gives an overview of significant practical applications. Index Terms—Formal methods, program verification, design verification, model checking, distributed systems, concurrency.

Distributed Feature Composition (DFC) is a new technology for feature specification and composition, based on a virtual architecture offering benefits analogous to those of a pipe-and-filter architecture. In the DFC architecture, customer calls are processed by dynamically assembled configurations of filter-like components: each component implements an applicable feature, and communicates with its neighbors by featureless internal calls that are connected by the underlying architectural substrate.

This paper concerns the transfer of files via a lossy communication channel. It formally specifies this file transfer service in a property-oriented way and investigates -- using two different techniques -- whether a given bounded retransmission protocol conforms to this service. This protocol is based on the well-known alternating bit protocol but allows for a bounded number of retransmissions of a chunk, i.e., part of a file, only. So, eventual delivery is not guaranteed and the protocol may abort the file transfer. We investigate to what extent real-time aspects are important to guarantee the protocol's correctness and use Spin and

User views of calls are modelled by behaviour trees, which are synchronised to form a network of users. High level presentations of the models are given using process algebra and an explicit theory of features, including precedences. These precedences abstractly encapsulate the possible state spaces which result from different combinations of features. The high level presentation supports incremental development of features and testing and experimentation through animation. Interactions which are not detected during the experimentation phase may be found through static analysis of the high level presentation, through dynamic analysis of the underlying low level transition system, and through verification of temporal properties through model-checking. In each case, interactions are resolved through manipulation of the feature precedences.

Feature-oriented specifications must be constructed, validated, and verified differently from other specifications. The crucial step is determining how features should interact. 1 Feature-Oriented Specification A feature of a software system is an optional or incremental unit of functionality. A feature-oriented specification is organized by features. It consists of a base specification and feature modules, each of which specifies a separate feature. The behavior of the system as a whole is determined by applying a feature-composition operator to these modules. A feature interaction is some way in which a feature or features modify or influence another feature in defining overall system behavior. Formally this influence can take many forms, depending on the nature of the featurespecification language and composition operator. A group of logical assertions, composed by conjunction, can affect each other's meanings rather differently than a group of finite-state machines, composed b...

A basic call model for telecommunications services, including a communication protocol for asynchronous communication between call processes, is defined in PROMELA. The model and protocol are analysed for using XSPINand some errors are uncovered.

A formal framework for reasoning about architectural properties of software systems is presented. The systems of interest are represented as hierarchies of interconnected components. The main concept introduced is that of a module whose single most important attribute is its architecture, defined by means of an interface and a description of the module 's internal configuration in terms of components and connections between them. The components are themselves instances of other modules. In this context, a central notion of is that of two systems being architecturally equivalent. It is also discussed how architectural refinement and extension can be formalized. A link with behavioral theories is established by introducing a notion of functional equivalence derived from architectural properties. ## Contents 1 Introduction 3 2 Concepts 4 2.1 Static Modules .................................. 4 2.2 Interface of a Module ............................... 5 2.3 Designation of a Module ........

We present an application of the Spin model-checker in Testbed, aframework for business process reengineering. Business processes are described by end-users of Testbed in a graphical language with a causality-based semantics, called Amber. The Amber language contains various constructs describing actions, causality relations, disabling, interaction and hierarchical composition. Data entities are modelled as variables that are handled by the business processes. We presentavalidation methodology for business processes using model-checking techniques. In this approach, an Amber specification is automatically translated into a state machine description in Promela,which is the input language of the Spin model-checker. The correctness properties, concerning both the behavioural aspects and the data entities used in the specification, are checked on the resulting Promela program using Spin. Aprototype verification toolset has been developed and successfully applied to various examples inspired from industrial Amber specifications.

This paper shows how an engineer could write a full formal description of the service layer of a telecommunication system, organized according to the Distributed Feature Composition virtual architecture. Descriptions in Promela and Z can be composed using a joint semantics based on the transition-axiom method. The described system can be reasoned about in several ways, including use of tools developed for the individual languages.

Spin is a general verification tool for proving correctness properties of concurrent/distributed systems specified in the CSP-like modeling language PROMELA. We extend PROMELA's syntax to differentiate between external and internal transitions in a given model and the SPIN tool with the ability to verify a particular class of semantic relations between two PROMELA models. This document describes this extension and gives an overview of the relevant theoretical foundations.