# SPIN
* https://spinroot.com/spin/whatispin.html

## Books

- Mordechai Ben-Ari. **Principles of the Spin Model Checker**. Springer-Verlag: 2008. http://www.weizmann.ac.il/sci-tea/benari/software
- SMC: Gerard J. Holzmann. **The Spin Model Checker: Primer and Reference Manual**. Addison-Wesley: 2004.
- PCDP: Mordechai Ben-Ari. **Principles of Concurrent and Distributed Programming**, Second Edition. Addison-Wesley: 2006.

## More 
* [Promela.ipynb](./Promela.ipynb)

## Tools

* VSCode plugin: Promela for VS, SPIN Promela language

* JSPIN

jSpin, developed by Moti Ben-Ari, is an alternative to the iSpin GUI written in Java instead of Tcl/Tk. It is meant as a teaching aid.

https://github.com/motib/jspin

```shell
# D:\workspace\rtfsc\jspin
$ java -jar jspin.jar

# 配置文件: config.cfg
```

* SPINSPIDER

SPINSPIDER is a software tool for automatically generating the state transition diagram of a PROMELA program.

When SPIN performs a verification, it searches the full state space and sufficient information is available on the search to enable the construction of the state diagram.

SPINSPIDER works with four input files:

(1) the PROMELA source file, <br/>
(2) the debug file obtained by running a verification of the program with the `-DCHECK` option and with a never claim that prints out the program counters and variable values,<br/>
(3) the statement file obtained by running a verification with the `-d` option,<br/>
(4) the trail file of a computation.


* VN: Visualizing nondeterminism

# Installation

Windows: `~\bin\pc_spin651\spin.exe`

WSL:

```shell
$ mv spin651_linux64 spin
$ mv spin /usr/local/bin/
$ which spin
/usr/local/bin/spin
$ spin -V
Spin Version 6.5.1 -- 20 December 2019
```

# Help

In [21]:
!spin --help

use: spin [-option] ... [-option] file
	Note: file must always be the last argument
	-A apply slicing algorithm
	-a generate a verifier in pan.c
	-B no final state details in simulations
	-b don't execute printfs in simulation
	-C print channel access info (combine with -g etc.)
	-c columnated -s -r simulation output
	-d produce symbol-table information
	-Dyyy pass -Dyyy to the preprocessor
	-Eyyy pass yyy to the preprocessor
	-e compute synchronous product of multiple never claims (modified by -L)
	-f "..formula.."  translate LTL into never claim
	-F file  like -f, but with the LTL formula stored in a 1-line file
	-g print all global variables
	-h at end of run, print value of seed for random nr generator used
	-i interactive (random simulation)
	-I show result of inlining and preprocessing
	-J reverse eval order of nested unlesses
	-jN skip the first N steps in simulation trail
	-k fname use the trailfile stored in file fname, see also -t
	-L when using -e, use strict language inters

# Book PSMC: Principles of the Spin Model Checker

convention:
- SMC: Gerard J. Holzmann. The Spin Model Checker: Primer and Reference Manual. Addison-Wesley, Reading, MA, 2004.
- MLCS: Mordechai Ben-Ari. Mathematical Logic for Computer Science (Second Edition). Springer, London, 2001.
- PCDP: M. Ben-Ari. Principles of Concurrent and Distributed Programming (Second Edition). Addison-Wesley, Harlow, UK, 2006.

| #   | Title                               | Progress | Description |
| :-- | :---------------------------------- | :------- | :---------- |
| 1   | Sequential Programming in PROMELA   | 100%     | 2022-12-21  |
| 2   | Verification of Sequential Programs | 100%     | 2022-12-22  |
| 3   | Concurrency                         | 100%     | 2022-12-26  |
| 4   | Synchronization                     | 100%     | 2022-12-27  |
| 5   | Verification with Temporal Logic    | 100%     | 2022-12-28  |
| 6   | Data and Program Structures         | 100%     | 2022-12-28  |
| 7   | Channels                            | 100%     | 2022-12-28  |
| 8   | Nondeterminism                      | 100%     | 2022-12-28  |
| 9   | Advanced Topics in PROMELA          | 100%     | 2022-12-29  |
| 10  | Advanced Topics in SPIN             | 100%     | 2022-12-29  |
| 11  | Case Studies                        | xxx%     | yyyy-mm-dd  |

In [15]:
%cd /mnt/d/GoogleDrive/wiki/jupyter-notebooks/Modeling/SPIN/PSMC

/mnt/d/GoogleDrive/wiki/jupyter-notebooks/Modeling/SPIN/PSMC


##  1. Sequential Programming in PROMELA

In [24]:
%cd /mnt/d/GoogleDrive/wiki/jupyter-notebooks/Modeling/SPIN/PSMC/ch01

/mnt/d/GoogleDrive/wiki/jupyter-notebooks/Modeling/SPIN/PSMC/ch01


SPIN是一个模型检测器(model checker): 一个验证物理系统, 特别是计算机系统的软件工具.

1. 编写描述系统行为的模型
2. 描述表达系统行为需求的正确性属性(correctness properties)
3. 运行模型检测器以检查模型是否保持正确性属性, 如果不保持, 提供反例(counterexample): 不满足正确性属性的计算(computation).

Listing 1.1. Reversing digits

构造: 
- 赋值语句
- 表达式
- 进程: active proctype
- 注释 /* */, //
- printf

模拟模式(simulation mode): SPIN编译和执行PROMELA程序.

- 限制模拟运行的步数: spin -uN
- 过滤输出: jSPIN MSC配置
- Promela输入: STDIN channel

In [25]:
!spin reversing_digits.pml

      value = 123,reversed = 321
1 process created


数值数据类型: bit, bool, byte, short, int, unsigned
- 尽量使用较少位的类型, 以避免验证中状态数量爆炸.

没有: 字符类型, 字符串变量, 浮点数类型

没有: 显式类型转换
- 算术先隐式转换成int, 赋值时再隐式转换成变量的类型.

操作符


Table 1.2. Operators in Promela

```
Precedence Operator Associativity Name
14 () left parentheses
14 [ ] left array indexing
14 . left field selection
13 ! right logical negation
13 ~ right bitwise complementation
13 ++, -- right increment, decrement
12 *, /, % left multiplication, division, modulo
11 +, - left addition, subtraction
10 <<, >> left left and right bitwise shift
9 <, <=, >, >= left arithmetic relational operators
8 ==, != left equality, inequality
7 & left bitwise and
6 ^ left bitwise exclusive or
5 | left bitwise inclusive or
4 && left logical and
3 || left logical or
2 ( -> : ) right conditional expression
1 = right assignment
```

表达式
- PROMELA中表达式必须是无副作用的.
- PROMELA与C语言的差异
  - 赋值语句不是表达式
  - `++`, `--`在赋值语句中只能用作后缀操作符, 不能用在赋值语句右侧的表达式中
  - 没有前缀`++`, `--`

```promela
b++ // ok

a = b++ // error
```

局部变量: 
- 作用域是其声明的进程
- 所有局部变量声明隐式的移动到进程的开始处

符号名:
- `#define N 10`: 数值的符号
- `mtype`: 值的助记名
  - 使用`%e`格式描述符/`printm`输出, 出现在程序的trace中
  - 一个程序中只有唯一的一组名称


控制语句:
- guarded commands: 表达不确定性
- location counter: 记录下一个执行的指令地址的寄存器
- control point: 控制点, 指令的地址
- 分类:
  * sequence: 顺序, 使用`;`分隔
  * selection: 选择
  * repetition: 重复
  * jump 跳转
  * `unless`


选择语句:
- `if`: `:: <guard> -> <statements>`
 - `<guard>`和`<statements>`之间可能存在interleaving(交错)
 - `else`: 所有其他`<guard>`求值为false时才执行
 - 所有`<guard>`求值为false时, 进程阻塞直到某个`<guard>`求值为true.
 - `skip`: `<statements>`为空
- conditional expression: `max = (a > b -> a : b)`
  - 必须有`()`, 该赋值是原子语句 


重复语句:
- `do`: 与`if`类似
  - `break`L 结束循环

宏: 见6.3.2节

跳转语句:
- `goto`

##  2. Verification of Sequential Programs

In [26]:
%cd /mnt/d/GoogleDrive/wiki/jupyter-notebooks/Modeling/SPIN/PSMC/ch02

/mnt/d/GoogleDrive/wiki/jupyter-notebooks/Modeling/SPIN/PSMC/ch02


- 程序的状态state: 变量的值, location counter
- 程序的计算computation:
- 程序的状态空间state space

断言assertion
- `assert`
- precondition, invariant, postcondition

SPIN验证步骤:
- 从PROMELA源码生成验证器源码(C语言): `spin -a xxx.pml`
- 编译验证器 `pan`
- 执行验证器, 生成报告(错误时生成踪迹文件)


`pan`的参数:
- `-e`: 创建所有错误的踪迹(trail)
- `-cN`: 在第N次错误时停止. `-c0`忽略所有错误不产生踪迹文件.

踪迹文件: SPIN的guided模拟模式运行以重构计算
- `spin -t xxx.pml`

SPIN显示模拟中数据:
- `-p`: statements, 进程执行的语句
- `-g`: globals, 全局变量的值
- `-l`: locals, 局部变量的值
- `-s`: send, channel中执行的发送指令
- `-r`: receive, channel中执行的接收指令

In [None]:
!spin -a max-error.pml
# -w: disable warnning message
!gcc -w -o pan pan.c
!./pan

pan:1: assertion violated ( ((a>=b)) ? ((max==a)) : ((max==b)) ) (at depth 0)
pan: wrote max-error.pml.trail

(Spin Version 6.5.1 -- 20 December 2019)
	+ Partial Order Reduction

Full statespace search for:
	never claim         	- (none specified)
	assertion violations	+
	acceptance   cycles 	- (not selected)
	invalid end states	+

State-vector 24 byte, depth reached 2, errors: 1
        3 states, stored
        0 states, matched
        3 transitions (= stored+matched)
        0 atomic steps
hash conflicts:         0 (resolved)

Stats on memory usage (in Megabytes):
    0.000	equivalent memory usage for states (stored*(State-vector + overhead))
    0.292	actual memory usage for states
  128.000	memory used for hash table (-w24)
    0.534	memory used for DFS stack (-m10000)
  128.730	total actual memory usage



pan: elapsed time 0.01 seconds


In [None]:
# 验证: 上面的3步合并为1步
# TODO: mute gcc warning
!spin -run max-error.pml

[01m[Kpan.c:[m[K In function ‘[01m[Kmake_trail[m[K’:
 1891 |                 sprintf(fnm, "%s[01;35m[K%d[m[K.%s",
      |                                 [01;35m[K^~[m[K
[01m[Kpan.c:1891:30:[m[K [01;36m[Knote: [m[Kdirective argument in the range [1, 2147483647]
 1891 |                 sprintf(fnm, [01;36m[K"%s%d.%s"[m[K,
      |                              [01;36m[K^~~~~~~~~[m[K
In file included from [01m[K/usr/include/stdio.h:894[m[K,
                 from [01m[Kpan.c:7[m[K:
[01m[K/usr/include/x86_64-linux-gnu/bits/stdio2.h:38:10:[m[K [01;36m[Knote: [m[K‘[01m[K__builtin___sprintf_chk[m[K’ output 3 or more bytes (assuming 523) into a destination of size 512
   38 |   return [01;36m[K__builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,[m[K
      |          [01;36m[K^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[m[K
   39 | [01;36m[K                                  __glibc_objsize (__s), __fmt,[m[K
      |       

In [None]:
# follow simulation trail
!spin -t max-error.pml

spin: max-error.pml:7, Error: assertion violated
spin: text of failed assertion: assert(( ((a>=b)) -> ((max==a)) : ((max==b)) ))
spin: trail ends after 1 steps
#processes: 1
  1:	proc  0 (P:1) max-error.pml:8 (state 8) <valid end state>
1 process created


In [None]:
# 显示trail中更多信息
!spin -t -p -g -l max-error.pml

  1:	proc  0 (P:1) max-error.pml:5 (state 3)	[((b>=a))]
  1:	proc  0 (P:1) max-error.pml:5 (state 4)	[max = (b+1)]
		P(0):max = 6
spin: max-error.pml:7, Error: assertion violated
spin: text of failed assertion: assert(( ((a>=b)) -> ((max==a)) : ((max==b)) ))
  1:	proc  0 (P:1) max-error.pml:7 (state 7)	[assert(( ((a>=b)) -> ((max==a)) : ((max==b)) ))]
		P(0):max = 6
spin: trail ends after 1 steps
#processes: 1
  1:	proc  0 (P:1) max-error.pml:8 (state 8) <valid end state>
		P(0):max = 6
		P(0):b = 5
		P(0):a = 5
1 process created


In [39]:
# 清理
!rm -f pan.* pan *.trail

In [41]:
!spin -p -g -l max-error.pml

  0:	proc  - (:root:) creates proc  0 (P)
  1:	proc  0 (P:1) max-error.pml:5 (state 3)	[((b>=a))]
  2:	proc  0 (P:1) max-error.pml:5 (state 4)	[max = (b+1)]
		P(0):max = 6
  3:	proc  0 (P:1) max-error.pml:7 (state 6)	[.(goto)]
spin: max-error.pml:7, Error: assertion violated
spin: text of failed assertion: assert(( ((a>=b)) -> ((max==a)) : ((max==b)) ))
#processes: 1
  4:	proc  0 (P:1) max-error.pml:7 (state 7)
		P(0):max = 6
		P(0):b = 5
		P(0):a = 5
1 process created


##  3. Concurrency
##  4. Synchronization
##  5. Verification with Temporal Logic
##  6. Data and Program Structures
##  7. Channels
##  8. Nondeterminism
##  9. Advanced Topics in PROMELA
##  10. Advanced Topics in SPIN
##  11. Case Studies

## Supplementary Material on Spin Version 6

> supplementary material: https://extras.springer.com/?query=978-1-84628-769-5

- the `for`-statement.
- the `select`-statement.
- `inline` definitions now create a new scope for variable declarations.
- the LTL formula can be written within the PROMELA program.

```promela
ltl mutex { []!(csp && csq) }
ltl nostarvation { []<>csp }

// no longer necessary to define symbols
ltl { [](critical <= 1) }
// a remote reference is considered an expression
ltl { []!(P@cs && Q@cs) }
// temporal operators can be given as keywords
ltl mutex { always !(csp && csq) }
ltl nostarvation { always eventually csp }
```

```shell
pan -N mutex
```

# Book PCDP: Principles of Concurrent and Distributed Programming

In [1]:
%cd /mnt/d/GoogleDrive/wiki/jupyter-notebooks/Modeling/SPIN/PCDP

/mnt/d/GoogleDrive/wiki/jupyter-notebooks/Modeling/SPIN/PCDP


## 1. What is Concurrent Programming?

## 2. The Concurrent Programming Abstraction

- 并发执行: 原子语句的交错(interleaving)
- 任意的交错
- 原子语句
- 正确性(correctness)
- 公平性(fairness)
- 机器码指令: 寄存器机器, 栈机器
- 易失性(volatile)变量, 非原子变量


A **concurrent program** consists of a finite set of
(sequential) processes. The processes are
written using a finite set of **atomic statements**.
The execution of a concurrent program
proceeds by executing a sequence of the
atomic statements obtained by **arbitrarily
interleaving** the atomic statements from the
processes. A **computation** is an execution
sequence that can occur as a result of the
interleaving. Computations are also called
**scenarios**.

During a computation the **control pointer** of a
process indicates the next statement that can
be executed by that process. Each process
has its own control pointer.

The **state** of a (concurrent) algorithm is a
tuple consisting of one element for each
process that is a label from that process, and
one element for each global or local variable
that is a value whose type is the same as the
type of the variable.

Let s1 and s2 be states. There is a **transition**
between s1 and s2 if executing a statement in
state s1 changes the state to s2. The statement
executed must be one of those pointed to by a
control pointer in s1.

A **state diagram** is a graph defined inductively.
The initial state diagram contains a single node
labeled with the initial state. If state s1 labels a
node in the state diagram, and if there is a
transition from s1 to s2, then there is a node
labeled s2 in the state diagram and a directed
edge from s1 to s2.
For each state, there is only one node labeled
with that state.
The set of **reachable states** is the set of states
in a state diagram.


**Safety properties** The property must always be
true.
**Liveness properties** The property must eventually
become true.


linear temporal logic (LTL)
Branching temporal logic: CTL is a branching temporal logic 

LTL is used in this book


A scenario is (**weakly**) **fair** if at any state in the
scenario, a statement that is continually
enabled eventually appears in the scenario.

工具, 语言
- BACI并发模拟器: Ben-Ari Concurrency Interpreter
- Ada
- Java
- PROMELA

Algorithm 2.1. Trivial concurrent program

convention: 
Each labeled line represents an atomic
statement.

Algorithm 2.2. Trivial sequential program
Algorithm 2.3. Atomic assignment statements
Algorithm 2.4. Assignment statements with one global reference

assumption:
Assignment statements are atomic
statements, as are evaluations of boolean
conditions in control statements.

Algorithm 2.5. Stop the loop

Algorithm 2.6. Assignment statement for a register machine
Algorithm 2.7. Assignment statement for a stack machine

An occurrence of a variable v is defined to be
**critical reference**: (a) if it is assigned to in one
process and has an occurrence in another
process, or (b) if it has an occurrence in an
expression in one process and is assigned to in
another.
A program satisfies the **limited-criticalreference (LCR)** restriction if each statement
contains at most one critical reference.

Algorithm 2.8. Volatile variables

Specifying a variable as
**volatile** instructs the compiler to load and store the
value of the variable at each use, rather than attempt
to optimize away these loads and stores.
Concurrency may also affect computations with
multiword variables. 

Algorithm 2.9. Concurrent counting algorithm

```
integer n <- 0
-
p                    | q
    integer temp     |     integer temp
p1: do 10 times      | q1: do 10 times
p2:   temp <- n      | q2:    temp <- n
p3:   n <- temp + 1  | q3:    n <- temp + 1
```

In [None]:
# Listing 2.5. A Promela program for the counting algorithm
!spin l2.5-counting-algo.pml

      MSC: The value is 14
3 processes created


## 3. The Critical Section Problem

问题定义和假设:

- Each of N processes is executing in a infinite loop a sequence of
statements that can be divided into two subsequences: the **critical
section** and the non-critical section.

- The correctness specifications required of any solution are:
  - **Mutual exclusion** Statements from the critical sections of two
or more processes must not be interleaved.
  - **Freedom from deadlock** If some processes are trying to enter
their critical sections, then one of them must eventually
succeed.
  - **Freedom from (individual) starvation** If any process tries to
enter its critical section, then that process must eventually
succeed.

- A synchronization mechanism must be provided to ensure that the
correctness requirements are met. The synchronization mechanism
consists of additional statements that are placed before and after
the critical section. The statements placed before the critical section
are called the **preprotocol** and those after it are called the
**postprotocol**. 

- The protocols may require local or global variables, but we assume
that no variables used in the critical and non-critical sections are
used in the protocols, and vice versa.
- The critical section must **progress**, that is, once a process starts to
execute the statements of its critical section, it must eventually
finish executing those statements.
关键区域中必须有进展.
- The non-critical section need not progress, that is, if the control
pointer of a process is at or in its non-critical section, the process
may terminate or enter an infinite loop and not leave the noncritical section.
非关键区域中可以没有进展.

Algorithm 3.1. Critical section problem

Algorithm 3.2. First attempt

```
integer turn <- 1

p: 
loop forever
p1: non-critical section
p2: await turn = 1           // 等待: 我的机会
p3: critical section
p4: turn <- 2               // 他的机会

q:
loop forever
q1: non-critical section
q2: await turn = 2
q3: critical section
q4: turn <- 1
```

`turn`作为进入关键区域的权限: 值表示哪个进程持有资源.


Algorithm 3.3. History in a sequential algorithm
Algorithm 3.4. History in a concurrent algorithm
Algorithm 3.5. First attempt (abbreviated)

使用状态图证明正确性
- 互斥: YES
- 无死锁: YES
- 无饥饿: NO
  - 非关键区域可以无进展

Algorithm 3.6. Second attempt

```
boolean wantp <- false, wantq <- false
-
p:
loop forever
p1: non-critical section
p2: await wantq = false     // 等待: 他不要
p3: wantp <- true           // 我要
p4: critical section
p5: wantp <- false          // 我不要

q:
loop forever
q1: non-critical section
q2: await wantp = false
q3: wantq <- true
q4: critical section
q5: wantq <- false
```

Algorithm 3.7. Second attempt (abbreviated)

正确性:
- 互斥: NO

Algorithm 3.8. Third attempt

```
boolean wantp <- false, wantq <- false
-
p:
loop forever
p1: non-critical section
p2: wantp <- true         // 我要
p3: await wantq = false   // 等待: 他不要
p4: critical section
p5: wantp <- false        // 我不要

q:
loop forever
q1: non-critical section
q2: wantq <- true
q3: await wantp = false
q4: critical section
q5: wantq <- false
```

正确性:
- 互斥: YES
- 无死锁: NO
  - 不可出节点: 活锁

Algorithm 3.9. Fourth attempt

```
boolean wantp <- false, wantq <- false
-
p:
loop forever
p1: non-critical section
p2: wantp <- true          // 我要
p3: while wantq            // 他要时
p4:   wantp <- false       //   我不要
p5:   wantp <- true        //   我要
p6: critical section
p7: wantp <- false         // 我不要

q:
loop forever
q1: non-critical section
q2: wantq true
q3: while wantp
q4:   wantq <- false
q5:   wantq <- true
q6: critical section
q7: wantq <- false
```

正确性:
- 互斥: YES
- 无死锁: YES
- 无饥饿: NO
  - 存在环

Algorithm 3.10. Dekker's algorithm

```
boolean wantp <- false, wantq <- false
integer turn <- 1
-
p:
loop forever
p1: non-critical section
p2: wantp <- true          // 我要
p3: while wantq            // 他要时
p4:   if turn = 2          //   他的机会
p5:     wantp <- false     //     我不要
p6:     await turn = 1     //     等待: 我的机会
p7:     wantp <- true      //     我要
p8: critical section
p9: turn <- 2             // 机会给他
p10: wantp <- false       // 我不要

q:
loop forever
q1: non-critical section
q2: wantq <- true
q3: while wantp
q4:   if turn = 1
q5:     wantq <- false
q6:     await turn = 2
q7:     wantq <- true
q8: critical section
q9: turn <- 1
q10: wantq false
```

## 4. Verification of Concurrent Programs

- the specification of correctness properties: 正确性属性的描述
- inductive proof: 归纳证明
- invariant: 不变量
- a system of temporal logic: 时态逻辑的系统
  - deductive: 推论的, 演绎的
    - 在所有计算的状态上归纳
    - 只需要考虑能修改公式中原子命题真值的语句
  - specify correctness properties for model checkers
  - tools: SPIN, STeP, TLA

示例: the third attemp satisfies the mutual exclusion property

A Deductive Proof of Dekker's Algorithm
- 进展: 如果计算在一个状态满足A, 则计算必须进展到另一个状态满足B.
- 假设: 所有计算是weakly fair的.
- 赋值语句: 持有进展.
- 关键区域: 必须持有进展.
- 非关键区域: 不需要持有进展.
- 控制语句: 
  - 证明选择了某一个分支: `p4 /\ [](turn = 2) -> <> p5`

进展的证明规则:
- (a) []A -> <>B
- (b) <>[]A
结论: `<>B`

证明: 无饥饿
- 假设: `q`总是尝试进入关键区域 `[]<> ~ q1`
- `p2 -> <>P8`


the Promela Modeling Language

In [3]:
# Listing 4.1. Dekker's algorithm in Promela
!spin -run -safety l4.1-dekker-algo-safety.pml

[01m[Kpan.c:[m[K In function ‘[01m[Kmake_trail[m[K’:
 1942 |                 sprintf(fnm, "%s[01;35m[K%d[m[K.%s",
      |                                 [01;35m[K^~[m[K
[01m[Kpan.c:1942:30:[m[K [01;36m[Knote: [m[Kdirective argument in the range [1, 2147483647]
 1942 |                 sprintf(fnm, [01;36m[K"%s%d.%s"[m[K,
      |                              [01;36m[K^~~~~~~~~[m[K
In file included from [01m[K/usr/include/stdio.h:894[m[K,
                 from [01m[Kpan.c:7[m[K:
[01m[K/usr/include/x86_64-linux-gnu/bits/stdio2.h:38:10:[m[K [01;36m[Knote: [m[K‘[01m[K__builtin___sprintf_chk[m[K’ output 3 or more bytes (assuming 523) into a destination of size 512
   38 |   return [01;36m[K__builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,[m[K
      |          [01;36m[K^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[m[K
   39 | [01;36m[K                                  __glibc_objsize (__s), __fmt,[m[K
      |       

## 5. Advanced Algorithms for the Critical Section Problem

## 6. Semaphores

## 7. Monitors

## 8. Channels

## 9. Spaces

## 10. Distributed Algorithms

## 11. Global Properties

## 12. Consensus

## 13. Real-Time Systems

## A. The Pseudocode Notation

## B. Review of Mathematical Logic

## C. Concurrent Programming Problems

## D. Software Tools

- BACI, jBACI
- Spin, jSpin
- DAJ: https://github.com/motib/daj


Spin, jSpin:
- 验证过程: 生成验证器, 执行验证器, 无错误或有错误(生成踪迹文件)
  - 是否将LTL公式翻译为never claim
```
-f "..formula.."  translate LTL into never claim
```
- 三种模式
  - safety: 用于验证安全性属性(例如无死锁), 断言和不变量(例如使用`[]`公式表达的)
  - acceptance: 用于验证活跃性属性(例如使用`<>`公式表达式的无饥饿)
  - non-progress: 另一种验证活跃性属性的方法, 不显式编写LTL公式.
```
-run
		    -safety	compile for safety properties only
		    -a	    	search for acceptance cycles
		    -l	    	search for non-progress cycles
```
- 可以选择验证时是否假设weak fairness.