## The Model Checker SPIN (1997)

### Cached

### Download Links

Venue: | IEEE TRANSACTIONS ON SOFTWARE ENGINEERING |

Citations: | 1266 - 25 self |

### BibTeX

@ARTICLE{Holzmann97themodel,

author = {Gerard J. Holzmann},

title = { The Model Checker SPIN},

journal = {IEEE TRANSACTIONS ON SOFTWARE ENGINEERING},

year = {1997},

volume = {23},

number = {5},

pages = {279--295}

}

### Years of Citing Articles

### OpenURL

### Abstract

SPIN is an efficient verification system for models of distributed software systems. It has been used to detect design errors in applications ranging from high-level descriptions of distributed algorithms to detailed code for controlling telephone exchanges. This paper gives an overview of the design and structure of the verifier, reviews its theoretical foundation, and gives an overview of significant practical applications.

### Citations

1298 |
Symbolic Model Checking
- McMillan
- 1993
(Show Context)
Citation Context ...using on asynchronous control in software systems, rather than synchronous control in hardware systems, SPIN distinguishes itself from other well-known approaches to model checking, e.g., [12], [49], =-=[53]-=-. As a formal methods tool, SPIN aims to provide: 1) an intuitive, program-like notation for specifying design choices unambiguously, without implementation detail, 2) a powerful, concise notation for... |

768 |
Design and Validation of Computer Protocols
- Holzmann
- 1991
(Show Context)
Citation Context ... design verification, model checking, distributed systems, concurrency. 1 INTRODUCTION S PIN is a generic verification system that supports the design and verification of asynchronous process systems =-=[36]-=-, [39]. SPIN verification models are focused on proving the correctness of process interactions, and they attempt to abstract as much as possible from internal sequential computations. Process interac... |

416 |
Computer-Aided Verification of Coordinating Processes
- Kurshan
- 1995
(Show Context)
Citation Context ...In focusing on asynchronous control in software systems, rather than synchronous control in hardware systems, SPIN distinguishes itself from other well-known approaches to model checking, e.g., [12], =-=[49]-=-, [53]. As a formal methods tool, SPIN aims to provide: 1) an intuitive, program-like notation for specifying design choices unambiguously, without implementation detail, 2) a powerful, concise notati... |

269 | Simple on-the-fly automatic verification of linear temporal logic
- Gerth, Peled, et al.
- 1995
(Show Context)
Citation Context ...rdi and Wolper showed in 1983 that any LTL formula can be translated into a Buchi automaton [78]. SPIN performs the conversion to Bachi automata mechanically based on a simple on-the-fly construction =-=[25]-=-. The automata that are generated formally accept only those (infinite) system executions that satisfy the corresponding LTL formula. As noted briefly above, we use correctness requirements to formali... |

194 |
and erson, Synthesis of Synchronization Skeletons for Branching Time Temporal Logic
- Clarke, A
(Show Context)
Citation Context ...hese. In focusing on asynchronous control in software systems, rather than synchronous control in hardware systems, SPIN distinguishes itself from other well-known approaches to model checking, e.g., =-=[12]-=-, [49], [53]. As a formal methods tool, SPIN aims to provide: 1) an intuitive, program-like notation for specifying design choices unambiguously, without implementation detail, 2) a powerful, concise ... |

127 |
Memory efficient algorithms for verification of temporal properties
- Courcoubetis, Vardi, et al.
- 1992
(Show Context)
Citation Context ... starting from the individual concurrent components and a single B&W automaton representing the correctness claim, is done by SPIN in one single procedure, using a nested depth-first search algorithm =-=[17]-=-, [36], [43]. The algorithm terminates when an acceptance cycle is found (which then constitutes a counterexample to a correctness requirement), or, when no counterexample exists, when the complete in... |

122 | Evaluating deadlock detection methods for concurrent software
- Corbett
- 1996
(Show Context)
Citation Context ... the leader election algorithm illustrated in Fig. 1, nonstandard mutual exclusion algorithms [37], communications network design problems [65], or protocol design problems [2], [3], [22], [23], [7], =-=[16]-=-, [36], [51]. In the course of the work on SPIN, we have also constructed verification models for, e.g., the Cambridge ring protocol [56], and the IEEE logical link control protocol LLC 802.2 [52]. Ot... |

114 | An Improvement in Formal Verification
- Holzmann, Peled
- 1994
(Show Context)
Citation Context ...tives of classes of execution sequences that are indistinguishable for a given correctness property. The implementation of this reduction method is based on a static reduction technique, described in =-=[41]-=-, that, before the actual verification begins, identifies cases where partial order reduction rules can safely be applied when the verification itself is performed. This static reduction method avoids... |

94 | Symbolic model checking - Burch, Clarke, et al. - 1990 |

82 | An analysis of bitstate hashing
- HOLZMANN
- 1998
(Show Context)
Citation Context ...on of the results of an exhaustive run can be performed in relatively small amounts of memory. For this purpose, SPIN includes an implementation of the bit-state hashing or supertrace technique [34], =-=[42]-=-. With this algorithm, two bits of memory are used to store a reachable state. The bit-addresses are computed with two statistically independent hash functions. If storing one reachable system state r... |

70 | On nested depth first search
- Holzmann, Peled, et al.
- 1996
(Show Context)
Citation Context ...om the individual concurrent components and a single B&W automaton representing the correctness claim, is done by SPIN in one single procedure, using a nested depth-first search algorithm [17], [36], =-=[43]-=-. The algorithm terminates when an acceptance cycle is found (which then constitutes a counterexample to a correctness requirement), or, when no counterexample exists, when the complete intersection p... |

59 | Coverage Preserving Reduction Strategies for ReachabilyAnalysis
- Holzmann, Godefroid, et al.
- 1992
(Show Context)
Citation Context ...ues are therefore not directly usable in this type of application. Static Huffman encoding, and run-length coding do have the required properties. Their effectiveness in model checkers was studied in =-=[38]-=-. It was found that run-length encoding added a substantial runtime overhead (-400 percent) in return for only a modest reduction of the memory requirements (10 to 20 percent). Static Huffman encoding... |

57 | An O(n log n) Unidirectional Distributed Algorithm for Extrema Finding in a Circle - Dolev, Klawe, et al. - 1982 |

42 | State compression in SPIN: Recursive indexing and compression training runs
- Holzmann
- 1997
(Show Context)
Citation Context ...riptors for variable:. channels, and processes, the compression algorithm no stores each separable element alone, and uses unique indices to the local descriptors in the global state vector, see also =-=[45]-=-. GL: Pl: Cl: P2: SV: Descriptor for Global Variables Descriptor for Process 1 Descriptor for Channel I Descriptor for Process 2 GL:P1:C1:P2 Global State Descriptor (state vector) Fig. 6. State compre... |

38 | Tracing Protocols
- Holzmann
- 1985
(Show Context)
Citation Context ...Checker (ANSI C code) Executable On-The-Fly Verifier 4p FOUNDATION SPIN has its roots in the earliest protocol verification systems based on on-the-fly reachability analysis from the early '80s 132], =-=[33]-=- [34]. The purpose of these first verifiers was to provide an effective tool that could be used to solve problems of practical significance. The fundamental computational complexity of the problem to ... |

38 |
Design and validation of protocols: a tutorial
- Holzmann
- 1993
(Show Context)
Citation Context ...n verification, model checking, distributed systems, concurrency. 1 INTRODUCTION S PIN is a generic verification system that supports the design and verification of asynchronous process systems [36], =-=[39]-=-. SPIN verification models are focused on proving the correctness of process interactions, and they attempt to abstract as much as possible from internal sequential computations. Process interactions ... |

32 | On the Verification of Temporal Properties
- Godefroid, Holzmann
- 1993
(Show Context)
Citation Context ...ut storing every state only once. The nested depth-first search can be implemented with just 2 bits of overhead per state, instead of the 64 bits of Tarjan's algorithm, using a simple encoding method =-=[26]-=-. The principle of the nested depth-first search algorithm is as follows. For an accepting cycle to exist in the reachability graph, at least one accepting state must be both reachable from the initia... |

28 | Verifying SCR Requirements Specifications Using State Exploration - Bharadwaj, Heitmeyer - 1997 |

26 | Algorithms for Automated Protocol Verification - Holzmann - 1988 |

25 |
Partial Order Methods for the Verification of Concurrent Systems
- Godefroid
- 1996
(Show Context)
Citation Context ...f the SPIN software, for instance, include extensions for real-time verification [74], reactive systems modeling [54], bisimulation equivalence proofs [21], different types of partial order reduction =-=[27]-=-, [76], process algebras [24], alternate state machine models [69], alternate compression techniques [79], [29], [28], [45], and implementation generation [5], [51]. Applications of SPIN to real-life ... |

25 | The Theory and Practice of a Formal Method: NewCoRe
- Holzmann
- 1994
(Show Context)
Citation Context ...he optional bitstate hashing technique in SPIN. The bit-state hashing techniques have been applied with good results in several large-scale industrial applications of formal verification, e.g., [11], =-=[40]-=-. 4 PRACTICAL APPLICATIONS As typical examples of the application of SPIN to the verification of concurrent systems, we discuss three different types of problems. The first is a protocol for schedulin... |

23 | Modelling and Analysis of a Collision Avoidance Protocol Using SPIN and UPPAAL
- Jensen, Larsen, et al.
- 1995
(Show Context)
Citation Context ...ocols and circuitry [36], 120], [15], rendezvous algorithms [441, security protocols [47], flood surge control systems [48], feature interaction problems [50], ethernet collision avoidance techniques =-=[46]-=-, and self-stabilizing protocols [67]. 5 CONCLUSION Most mature engineering disciplines include a methodology for constructing and analyzing prototypes of designs. Concurrent systems is, compared to c... |

22 | Symbolic protocol verification with Queue BDDs
- Godefroid, Long
- 1999
(Show Context)
Citation Context ...special techniques that exploit specific knowledge about this application, greater reductions in the memory requirements may be obtained, so that the scope of this proof can be substantially extended =-=[28]-=-, but we will limit ourselves here to only the built-in capabilities of SPIN. To see what the relative effect is on the complexity of the verification of each of the complexity control measures we hav... |

21 |
Automatically Verified Data Transfer Protocols, Eindhoven Univeristy of Technology
- Hajek
- 1977
(Show Context)
Citation Context ...not surprising that comparable tools are still somewhat scarce. Still, the first attempts to develop the basic methodology for of on-the-fly automated verification date back more than a decade, e.g., =-=[31]-=-, [811, [32], [33]. The most recent versions of these algorithms, as captured in tools such as SPIN, begin to provide some of the required capability. The design methodology that is supported by SPIN ... |

17 | Modelling and verification of a multiprocessor realtime OS kernel
- Cattel
- 1994
(Show Context)
Citation Context ...stems [1], hardware-software codesign [80], asynchronous hardware designs [62], multiprocessor designs [76], local area network controllers [30], microkernel design [19], [75], operating systems code =-=[9]-=-, [64], railway signaling protocols and circuitry [36], 120], [15], rendezvous algorithms [441, security protocols [47], flood surge control systems [48], feature interaction problems [50], ethernet c... |

16 | Protocol Design: Redefining the State of the Art
- Holzmann
- 1992
(Show Context)
Citation Context ... range of problems. The obvious applications are to correctness of generic distributed algorithms, such as the leader election algorithm illustrated in Fig. 1, nonstandard mutual exclusion algorithms =-=[37]-=-, communications network design problems [65], or protocol design problems [2], [3], [22], [23], [7], [16], [36], [51]. In the course of the work on SPIN, we have also constructed verification models ... |

14 | Modeling and Verifying a Bounded Retransmission Protocol - D'Argenio, Katoen, et al. |

14 | Model checking in practice: an analysis of the access. bus protocol using spin - Boigelot, Godefroid - 1996 |

13 | Model Checking Safety Critical Software with SPIN: An Application to a Railway Interlocking System
- Cimatti, Giunchiglia, et al.
- 1997
(Show Context)
Citation Context ... designs [62], multiprocessor designs [76], local area network controllers [30], microkernel design [19], [75], operating systems code [9], [64], railway signaling protocols and circuitry [36], 120], =-=[15]-=-, rendezvous algorithms [441, security protocols [47], flood surge control systems [48], feature interaction problems [50], ethernet collision avoidance techniques [46], and self-stabilizing protocols... |

11 |
Formal methods at AT&T { an industrial usage report
- Chaves
- 1991
(Show Context)
Citation Context ...t of the optional bitstate hashing technique in SPIN. The bit-state hashing techniques have been applied with good results in several large-scale industrial applications of formal verification, e.g., =-=[11]-=-, [40]. 4 PRACTICAL APPLICATIONS As typical examples of the application of SPIN to the verification of concurrent systems, we discuss three different types of problems. The first is a protocol for sch... |

9 | M.: Memory Efficient Algorithms for the Verification - Courcoubetis, Vardi, et al. - 1992 |

9 | State space compression in Spin with GETSs - Gr'egoire - 1996 |

7 | Verifying semantic relations in SPIN
- Erdogmus
- 1995
(Show Context)
Citation Context ...held since 1995 [68]. Examples of modifications of the SPIN software, for instance, include extensions for real-time verification [74], reactive systems modeling [54], bisimulation equivalence proofs =-=[21]-=-, different types of partial order reduction [27], [76], process algebras [24], alternate state machine models [69], alternate compression techniques [79], [29], [28], [45], and implementation generat... |

6 |
A Unified Approach to Fault-Tolerance in Communication Protocols, Based on Recovery Procedures
- Agarwal
- 1995
(Show Context)
Citation Context ...ess registration protocols [55], error control protocols [66], requirements analysis [41, controllers for reactive systems [10], distributed process scheduling algorithms [59], fault tolerant systems =-=[1]-=-, hardware-software codesign [80], asynchronous hardware designs [62], multiprocessor designs [76], local area network controllers [30], microkernel design [19], [75], operating systems code [9], [64]... |

5 | Designing Bug-Free Protocols with SPIN - Holzmann - 1997 |

4 | PAN: a protocol specification analyzer
- Holzmann
- 1981
(Show Context)
Citation Context ...ng that comparable tools are still somewhat scarce. Still, the first attempts to develop the basic methodology for of on-the-fly automated verification date back more than a decade, e.g., [31], [811, =-=[32]-=-, [33]. The most recent versions of these algorithms, as captured in tools such as SPIN, begin to provide some of the required capability. The design methodology that is supported by SPIN can be summa... |

4 |
Security Protocol Verification Using SPIN
- Joesang
- 1995
(Show Context)
Citation Context ...a network controllers [30], microkernel design [19], [75], operating systems code [9], [64], railway signaling protocols and circuitry [36], 120], [15], rendezvous algorithms [441, security protocols =-=[47]-=-, flood surge control systems [48], feature interaction problems [50], ethernet collision avoidance techniques [46], and self-stabilizing protocols [67]. 5 CONCLUSION Most mature engineering disciplin... |

4 | Formalization and validation of the Radio Link Protocol (RLP1
- Ferguson
- 1997
(Show Context)
Citation Context ...ms, such as the leader election algorithm illustrated in Fig. 1, nonstandard mutual exclusion algorithms [37], communications network design problems [65], or protocol design problems [2], [3], [22], =-=[23]-=-, [7], [16], [36], [51]. In the course of the work on SPIN, we have also constructed verification models for, e.g., the Cambridge ring protocol [56], and the IEEE logical link control protocol LLC 802... |

3 |
Modeling and Verification of the RUBIS Micro-Kernel with SPIN
- Duval, Julliand
- 1995
(Show Context)
Citation Context ... algorithms [59], fault tolerant systems [1], hardware-software codesign [80], asynchronous hardware designs [62], multiprocessor designs [76], local area network controllers [30], microkernel design =-=[19]-=-, [75], operating systems code [9], [64], railway signaling protocols and circuitry [36], 120], [15], rendezvous algorithms [441, security protocols [47], flood surge control systems [48], feature int... |

2 | The Application of Promela and - Kars |

2 |
Protocol Design: From Specification to Implementation
- Loeffler, Serhrouchni
- 1996
(Show Context)
Citation Context ...nt types of partial order reduction [27], [76], process algebras [24], alternate state machine models [69], alternate compression techniques [79], [29], [28], [45], and implementation generation [5], =-=[51]-=-. Applications of SPIN to real-life problems also span a broad range of problems. The obvious applications are to correctness of generic distributed algorithms, such as the leader election algorithm i... |

2 |
Using Concurrency and Formal Methods for the Design of Safe Process Control
- Cattel
- 1996
(Show Context)
Citation Context ...d to the verification of data transfer protocols [5], bus protocols [6], address registration protocols [55], error control protocols [66], requirements analysis [41, controllers for reactive systems =-=[10]-=-, distributed process scheduling algorithms [59], fault tolerant systems [1], hardware-software codesign [80], asynchronous hardware designs [62], multiprocessor designs [76], local area network contr... |

2 |
The Application of PROMELA and SPIN
- Kars
- 1996
(Show Context)
Citation Context ...ernel design [19], [75], operating systems code [9], [64], railway signaling protocols and circuitry [36], 120], [15], rendezvous algorithms [441, security protocols [47], flood surge control systems =-=[48]-=-, feature interaction problems [50], ethernet collision avoidance techniques [46], and self-stabilizing protocols [67]. 5 CONCLUSION Most mature engineering disciplines include a methodology for const... |

1 | On the Application of an Automated Validation Tool to Realistic Protocols,” MSc thesis - Alipour - 1994 |

1 | Eicken, “A Language-Based Approach to - Basu, Hayden, et al. - 1997 |

1 | Design of Validation Models in PROMELA for the Medium - Bouvin - 1991 |

1 | Using Concurrency and Formal Methods for the Design - Cattel - 1996 |

1 |
Verifying a Model-Checking Algorithm," Proc. Tools and Algorithms for the Construction and Analysis of Systems (TACAS96
- Chou, Peled
- 1996
(Show Context)
Citation Context ... e.g., [8]. The correctness properties of the reduction algorithm itself (i.e., the preservation of safety and liveness properties) were verified independently with the help of the theorem prover HOL =-=[13]-=-. 3.4 Memory Management The size of the interleaving product that SPIN computes can, in the worst case, grow exponentially with the number of processes. Given the size of the product, expressed as the... |

1 |
Theories of Automata on Mega-Tapes: A Simplified Approach
- Choueka
- 1974
(Show Context)
Citation Context ...sence always suffices for the purposes of verification. The nested depth first search algorithm in SPIN is extended with an optional weak fairness constraint, using Choueka's flag construction method =-=[14]-=-, [17]. Under the weak fairness constraint, every process that contains at least one transition that remains enabled infinitely long, is guaranteed to execute that transition within finite time. 3.2 F... |

1 | Modeling and Verification - Duval, Julliand - 1995 |