我试图了解为什么未触发此模型中的断言。
ltl { !A@wa U B@sb && !B@wb U A@sa }
byte p = 0
byte q = 0
int x = 0
inline signal(sem) { sem++ }
inline wait (sem) { atomic { sem > 0 ; sem-- } }
proctype A() {
x = 10*x + 1
signal(p)
sa: wait(q)
wa: x = 10*x + 2
}
proctype B() {
x = 10*x + 3
signal(q)
sb: wait(p)
wb: x = 10*x + 4
}
init {
atomic { run A(); run B() }
_nr_pr == 1
assert(x != 1324)
}
很明显,有一系列操作会产生最终值x = 1324
:
x = 0
A
集x = 10*0 + 1 = 1
B
集x = 10*1 + 3 = 13
A
和B
互相允许A
集x = 10*13 + 2 = 132
B
集x = 10*132 + 4 = 1324
答案 0 :(得分:1)
未触发该断言,因为当求解程序证明该属性为“从未到达”
ltl { !A@wa U B@sb && !B@wb U A@sa }
是真的。
看看求解器给出的输出,它清楚地指出:
它将检查任何断言,但前提是在声明的范围内:
Full statespace search for:
never claim + (ltl_0)
assertion violations + (if within scope of claim)
未达到断言:
unreached in init
t.pml:27, state 5, "assert((x!=1324))"
t.pml:28, state 6, "-end-"
(2 of 6 states)
您可以使用选项-noclaim
,以便仅检查模型的断言,然后可以很容易地证明其为假:
~$ spin -search -noclaim t.pml
ltl ltl_0: ((! ((A@wa))) U ((B@sb))) && ((! ((B@wb))) U ((A@sa)))
pan:1: assertion violated (x!=1324) (at depth 13)
pan: wrote t.pml.trail
(Spin Version 6.4.8 -- 2 March 2018)
Warning: Search not completed
+ Partial Order Reduction
Full statespace search for:
never claim - (not selected)
assertion violations +
cycle checks - (disabled by -DSAFETY)
invalid end states +
State-vector 36 byte, depth reached 15, errors: 1
48 states, stored
6 states, matched
54 transitions (= stored+matched)
1 atomic steps
hash conflicts: 0 (resolved)
Stats on memory usage (in Megabytes):
0.003 equivalent memory usage for states (stored*(State-vector + overhead))
0.286 actual memory usage for states
128.000 memory used for hash table (-w24)
0.534 memory used for DFS stack (-m10000)
128.730 total actual memory usage
pan: elapsed time 0 seconds