如何解释SPIN错误输出？

Question

我正在尝试为以下LTL属性检查一个简单的Promela模型：

ltl { M[0] U M[1] }

我收到错误，错误跟踪的引导模拟产生以下输出：

ltl ltl_0: (M[0]) U (M[1])
spin: couldn't find claim 2 (ignored) 
0 :init ini M[0] = 1             
Process Statement                M[0]       M[1]       
0 :init ini M[1] = 0             1          0          
Starting net with pid 2
0 :init ini run net()            1          0          
spin: trail ends after 4 steps
#processes: 2
  4:    proc  1 (net) petri:11 (state 13)
  4:    proc  0 (:init:) petri:25 (state 5)
2 processes created
Exit-Status 0

现在我不知道M [1]直到M [1]＆＃34;这里违反了。在初始化过程中M [0]设置为1，并且保持不变，直到M [1]变为1.并且跟踪结束得那么早，或者我可能误解了＃34; stronguntil＆＃34;的语义。完全。 我很有信心就是这样......但我做错了什么？在Promela文件中指定LTL好吗？

有问题的模型如下（一个简单的petri网）：

#define nPlaces 2
#define nTransitions 2
#define inp1(x1) (x1>0) -> x1--
#define out1(x1) x1++

int M[nPlaces];
int T[nTransitions];

proctype net()
{
    do
    ::  d_step{inp1(M[0])->T[0]++;out1(M[1]);skip}
    ::  d_step{inp1(M[1])->T[1]++;out1(M[0]);skip}
    od
}
init
{
    atomic 
    {
        M[0] = 1;
        M[1] = 0;
    }
    run net();
}

ltl { M[0] U M[1] }

Answer 1

您的声明在初始状态（init使用atomic之前）被违反。这是一个SPIN验证运行（pan -a），其中包含跟踪文件的输出：

ebg@ebg$ spin -a foo.pml
ltl ltl_0: (M[0]) U (M[1])
ebg@ebg$ gcc -o pan pan.c
ebg@ebg$ ./pan -a
pan:1: assertion violated  !(( !(M[0])&& !(M[1]))) (at depth 0)
pan: wrote foo.pml.trail

(Spin Version 6.2.4 -- 21 November 2012)
Warning: Search not completed
    + Partial Order Reduction

Full statespace search for:
    never claim             + (ltl_0)
    assertion violations    + (if within scope of claim)
    acceptance   cycles     + (fairness disabled)
    invalid end states  - (disabled by never claim)

State-vector 36 byte, depth reached 6, errors: 1
        4 states, stored (7 visited)
        1 states, matched
        8 transitions (= visited+matched)
        0 atomic steps
hash conflicts:         0 (resolved)

Stats on memory usage (in Megabytes):
    0.000   equivalent memory usage for states (stored*(State-vector + overhead))
    0.290   actual memory usage for states
  128.000   memory used for hash table (-w24)
    0.534   memory used for DFS stack (-m10000)
  128.730   total actual memory usage



pan: elapsed time 0 seconds
ebg@ebg$ spin -p -t foo.pml
ltl ltl_0: (M[0]) U (M[1])
starting claim 2
using statement merging
spin: _spin_nvr.tmp:5, Error: assertion violated
spin: text of failed assertion: assert(!((!(M[0])&&!(M[1]))))
Never claim moves to line 5 [D_STEP]
spin: trail ends after 1 steps
#processes: 1
        M[0] = 0
        M[1] = 0
        T[0] = 0
        T[1] = 0
  1:    proc  0 (:init:) foo.pml:18 (state 3)
  1:    proc  - (ltl_0) _spin_nvr.tmp:3 (state 6)
1 processes created

您可以看到ltl已翻译为：assert(!(( !(M[0])&& !(M[1]))))，即：

  !(( !0 && !0))
  !((  1 &&  1))
  !((  1 ))
  0

因此违反了断言。

避免此问题的最简单方法是将数组更改为单独的变量。由于你的数组只是2号，所以很容易做到：

int M0 = 1;
int M1 = 0;
int T0 = 0;
int T1 = 0;
/* then use as appropriate. */

有了这个，您可以跳过init，只需将net proctype声明为active proctype net ()

Answer 2

你的ltl公式放好了。如果您使用ispin并验证（不模拟）您的程序，请确保选中“使用声明”选项。警告：默认值为“不要使用never声明或ltl属性”。