SPIN NEWSLETTER Nr. 15

SPIN NEWS - Nr. 15 - 19 January 1997

Contents of this NewsLetter:

SPIN96 AMS Proceedings
SPIN97 Workshop Reminder
Spin Version 2.9.5
Frequently Asked Questions
- Matching the value of a variable in a receive
Some Recent Papers

SPIN96 AMS Proceedings

The proceedings of the 1996 Spin Workshop are now being printed by the AMS and will soon be available. Once available the volume will be included in the list of AMS publications that can be browsed at:

	http://www.ams.org/bookstore/

(follow the links for 'Books' and 'What's New')

The full title for the volume is:

	The Spin  Verification System - Second Workshop
	on the Spin Verification System - Proceedings
	of a DIMACS Workshop

but among friends the bibliographic reference may be given as:

	Proc. Second Workshop on the Spin Verification System
	held August 5, 1996, Rutgers University, New Brunswick, NJ.
	Ed. J-C. Gregoire, G.J. Holzmann, and D.A. Peled.
	Publ. American Mathematical Society, DIMACS/39.

(In the listing at the AMS URL you can already find the proceedings for the POMIV workshop on Partial Order Methods, numbered DIMACS/29)

SPIN97 Workshop Reminder

The deadline for contributions to the 1997 Spin Workshop is:

	15 Februari 1997

The workshop is held as a satellite of TACAS97 at Twente University, The Netherlands, on 5 April this year.

We are looking forward to many participants, good demos, and inspiring talks. Send a note to one of the organizers, e.g., Rom Langerak (langerak@cs.utwente.nl) if you would like to organize a demo, intend to submit a paper, or have proposals for tutorials, panel discussions or anything else that comes to mind to make this workshop of value to you.

Attending the SPIN workshop is free (including lunch). A shuttle-bus will run on April 5 between hotel an workshop. More info, with registration and hotel information:

	http://wwwtios.cs.utwente.nl/~tacas97/
	http://netlib.bell-labs.com/netlib/spin/ws97/call.html

Useful Tools and URLs

Jean-Philippe Cottin (cottin@inf.enst.fr) writes:
The new version of a2ps, maintained by Akim Demaille, includes pretty-printing capabilities for Promela specs. Comments are welcome. The sources for a2ps can be found at

	http://www.enst.fr/~demaille/a2ps.html

a2ps recognizes a file by its extension. A Promela file is recognized by the extension ".pml" -- or one can use the explicit a2ps option "-kpromela"

A little course (in French) for Spin and Promela can also be found at

	http://www.enst.fr/~cottin/spin

Spin Version 2.9.5

The current version of Spin is still 2.9.4, from 4 November 1996. There have been few interesting changes since then -- things are pretty much stable. The upcoming new release will contain these changes:

the current option -D to spin will disappear (dataflow checks). the option is rarely used, and not very thorough. its deletion makes the source 300 lines leaner.
some small fixes - none very grave.
a link between Xspin and the graph layout program 'dot' for better display of the FSM views -- when dot is detected on the host
a better version of the Collapse compression code, preparing the way for another, more effective, to follow later this year
likely also a new coverage estimator function discovered by Ulrich Stern (contact: uli@beet.stanford.edu) will be included.

Version 2.9.5 will be available in another few weeks (quicker if you need access to the code to test some of the features, or to experiment with extensions -- please send mail if this applies to you).

Frequently Asked Questions

Matching the value of a variable in a receive

In a standard receive operation, only constant fields can be used to make the receive conditional on the value of specific parts in the incoming message. For instance, if 'msg' is a constant declared in an mtype definition, or in a #define macro, and 'data' is a variable, then

	q?msg,data

will only be executable if the first field in the incoming message also contains the value 'msg.'

A predefined function 'eval()' is part of Spin versions 2.9.3 and later. The eval() function is used to evaluate a variable to yield a value that can be used inside receive arguments as if it were a constant. This makes it possible to make a conditional receive that matches a possibly changing value of a variable. For instance

	q?eval(_pid),par2,par3

will only be executable for incoming messages with a first field that quals the value of _pid. Note that using

	q?_pid,par2,par3

instead would specify that the value of (predefined) variable _pid is to be overwritten by the value of the first field in the message, whatever that happens to be.
The function eval() can be used for any message field - the argument can be any local or global variable reference, but it cannot be an expression.

Some Recent Papers

If you have published a paper related to Spin and would like to have a pointer included in an upcoming newsletter, send the details to: spin_list@research.bell-labs.com

From Architecture Down to Implementation of Safe Process Control Applications - The Lift Case Study
by Gregory Duval and Thierry Cattel
Computer Networking Laboratory Laboratoire de Teleinformatique (LTI) Swiss Federal Institute of Technology (EPFL)
Contact: duval@di.epfl.ch, cattel@di.epfl.ch
See also: http://ltiwww.epfl.ch/~duval/lift.html
Abstract: This paper reports the results of specifying, designing, verifying and implementing safe object oriented process control applications. This work gives a solution which enables the synthesis of a general method for addressing problems associated with these procedures. This method has been applied on several case studies by using the SPIN verification tool. An implementation of the lift controller and a graphical simulation have then been realised using Synchronous C++ , a concurrent extension of C++ designed by our team and which is being integrated into Gnu gcc. Liveness and safety properties have been checked on the model to ensure that the system behaviour is correct. This application shows the efficiency of using formal methods in building safe process control applications. It also shows that Synchronous C++ is appropriate for developing process control problems and is easily translatable from synchronous models such as Promela.
Specifying and Verifying the Steam Boiler problem with SPIN
by Gregory Duval and Thierry Cattel
See also: http://ltiwww.epfl.ch/~duval/steamboiler.html
Abstract This paper reports the results of specifying and verifying the Steam Boiler problem with Promela/SPIN. Several models of the system have been produced with different degrees of completeness. Each model represents an abstract level for capturing the original problem requirements. The last model is very detailed and gives a first solution to the steam boiler problem. The model is able to drive the system and takes device failures (pumps, pump controllers, steam and water) into account. Liveness and safety properties have been successfully checked on the models to insure that the system behaviour is correct. An implementation of the system has been made using Synchronous C++, a concurrent extension of C++, and linked with the TCL/TK simulation. A presentation of future evolutions of the system is also described. This application shows that SPIN is appropriate for developing control process problems from specifications.

End of Newsletter Nr. 15.

Gerard J. Holzmann (gerard@research.bell-labs.com)