| << Chapter < Page | Chapter >> Page > |
Function calls are another standard kind of control flow.
Surprisingly,
Promela does not have function calls !
Every
proctype instance is a separate process.
Though if you really want, you could simulate a function call by
creating
a new process dynamically ,
and blocking until that process returns.
So far, we have determined the possible behaviors of a program simply by running the program abunch of times. For small programs, we can be very careful and make sure we exhibit all the possible traces, but the state spacesoon becomes unwieldy.
The real power of SPIN is as a tool for verification, our original goal.SPIN will search the entire state space for us , looking for (reachable) states which fail to have desired properties.
The first verification technique we'll examine are
assertion s, common to many programming languages.
In Promela, the statement
assert(
condition ); evaluates the condition. If the result is true, execution continues
as usual. Otherwise, the entire programis aborted and an error message is printed.
When simulating a single run of the program, SPIN automatically checks these run-time assertions;this is the usage that most programmers should be familiar with from traditional programming languages.But additionally, we'll see that SPIN, in the course of searching the entire state space,verifies whether an assertion can ever fail! (Though of course it can only search finite, feasible state spaces;happily,feasiblecan often include hundreds of millions of states.)
Consider
our last race condition example .
One of our original nave expectations was that,
within each process,the value of
z at the end
of the process is exactly one more than at the beginning.The previous examples have shown that to be wrong, but we had to
run the program until we encountered a run when it failed.Here, the
assert statement puts that expectation explicitly
into the program, for SPIN to check.
1 #define NUM_PROCS 3
23 show int z = 0;
45 active[NUM_PROCS] proctype increment()6 {
7 show int new_z;8
9 /* A saved copy of the old z, for the assertion. */10 show int old_z;
1112 old_z = z;
13 new_z = old_z + 1;14 z = new_z;
1516 assert(z == old_z+1);
17 }
It is often the case, as it is here, that to state the desired
condition we need to add an extra variablehere,
old_z .
As always, it is important that when introducing such code fortesting that you don't substantially change the code to be tested,
lest you inadvertently introduce new bugs!
Run this code several times, and observe when the assertion
fails.This text indicates which assertion failed, and the line will be
highlighted in the code window. To see which process' copy of
increment failed and why,
you have to look more closely at the steps shown.
spin: line 16 "pan_in", Error: assertion violated
spin: text of failed assertion: assert((z==(old_z+1)))
Notification Switch
Would you like to follow the 'Model checking concurrent programs' conversation and receive update notifications?
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|