(a 1, a 2, a 3, a 4 ) ³Æ s 10. a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4. ( a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4) (a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4)

5 à ¹¾½ 5.1 ÇÉ» Â Â Þ Kripke Ù M =< S,, I, L > ½ Đ ÞÒ S «É S 2 n Ä ĐÞ n Ê Æ Å n = 4 ÄÝ s 0, s 1, s 2,... (a 1, a 2, a 3, a 4 ) ³Æ s 10 ȹÌĐÞ ÁÆ Ü Đ ³¹Á Ü Ô Ô Ü Ä Ü Á Æ ÔÆ ¹ Ä¹Ì Å Á a 1 a 2 a 3 a 4 Æ s 10 a 2 a 3 a 4 Æ {s 2, s 10 ȹ Ä ¹ÌÜÚĐÞ ÁÆ ĐÛ n Ò a 1,..., a n Å È Ä (s 2, s 10 ) ĐÞÆ a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4 È Ä ¹Ì {(s 2, s 10 ), (s 10, s 10 ) ĐÞÆ ( a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4) (a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4) ÁĐÞÐ ( a 2 a 3 a 4 a 1 a 2 a 3 a 4 ) Kripke Ù L ¹ ÍÈ¹Æ ¹ ¹ L ß p AP ĐÞ Å L (p) = {s L(s) = p Þ L ĐÞ Å L(s) = {p AP s L (p) ĐÞ L Ê L Ô È ³± ʹ º ¹ Ú ĐÞ L º³ L ¹Ü L (p) Ü ÈÌ L (p) ĐÞ Ü Á Æ Á¹ Å ĐÞ Ì¹ Å Ì¹Õ Ü Á¹Ìº ̹ Ü Á¹ º ̹ ±Ä Ü Á¹ ÇÄ Ì¹ Ü Á¹ AP = {p 1,..., p k ¹ Kripke Ù M =< S,, I, L > 2 n È M ĐÞ Þ k + 2 Ê Á ϕ(a 1,..., a n, a 1,..., a n), ψ 0 (a 1,..., a n ), ψ 1 (a 1,..., a n ),, ψ k (a 1,..., a n ) Ü Æ ¹ Û¹ ÛÜ ¹ Ü Á ζ(a 1,..., a n ) ι ÈÌĐÞ Þ Á a 1...a n.(ϕ(a 1,..., a n, a 1,..., a n ) ζ(a 1,..., a n )) Ó Û Ç Ð Ç a 1,..., a n ¹Á ϕ (a 1,..., a n ) ¾Î Ò ¹ a 1,..., a n Ì a 1,..., a n

¹Æ ȹÁ ± ĐÞ Þ º» x.ϕ = (ϕ x=0 ϕ x=1 ) n = 4, ϕ(a 1,..., a n, a 1,..., a n ) = ( a 2 a 3 a 4 a 1 a 2 a 3 a 4) ζ(a 1,..., a n ) = a 1 a 2 a 3 a 4 a 1...a n.(ϕ(a 1,..., a n, a 1,..., a n) ζ(a 1,..., a n )) = a 1 a 2 a 3 a 4 ζ(a 1,..., a n ) = a 1 a 2 a 3 a 4 ¹Î¹Á a 1 a 2 a 3 a 4 ζ(a 1,..., a n ) = a 1 a 2 a 3 a 4 a 1...a n.(ϕ(a 1,..., a n, a 1,..., a n) ζ(a 1,..., a n )) = false ζ(a 1,..., a n ) = a 1 a 2 a 3 a 4 ¹Î¹ Á ζ(a 1,..., a n ) ¹µ¹ ÈÌĐÞ Þ Á a 1...a n.(ϕ(a 1,..., a n, a 1,..., a n ) ζ(a 1,..., a n )) Ó Þµ¹Êι¹ ĐÞ ½Å ¹Đ²Ì ¾Î Å Æ Ö ¹ Á ±Ä ¼º ½Å Å Ì º Á º ÅÜ Á º ¹ ÆÖ Í ³Ô» Å Á º ¹³ Å ¹ Ö Ì¹ÅÖ Ó Æ Ä Ø Ì ¹º Ü Ð µ ÄÍ È³Ã Ü ÁÆ Ä¹Ï ÅÖ ĐÞ ¹ ¹ Å {s 10, s 2 ĐÞÆ Þ Á ¹Ì a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4 Ú Ì¹ÅÖÜÍÐ Å Û º Å {s 10, s 2 ¹ Þ Á¹Ì a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4 a 1 a 2 a 3 a 4

Å ³ÃÐ ÒÆ Ä¹Ó ± Ü Ì¹Æ {s 10, s 2 ĐÞÆ Þ Á ¹Ì a 1 a 2 a 3 a 4 = false a 1 a 2 a 3 a 4 = false a 1 a 2 a 3 a 4 = true a 1 a 2 a 3 a 4 = false a 1 a 2 a 3 a 4 = false a 1 a 2 a 3 a 4 = false a 1 a 2 a 3 a 4 = false a 1 a 2 a 3 a 4 = false a 1 a 2 a 3 a 4 = false a 1 a 2 a 3 a 4 = false a 1 a 2 a 3 a 4 = true a 1 a 2 a 3 a 4 = false a 1 a 2 a 3 a 4 = false a 1 a 2 a 3 a 4 = false a 1 a 2 a 3 a 4 = false a 1 a 2 a 3 a 4 = false Ú¹Ü ÌĐ Ø Æ ĐÞÐ Ú¹Ü Æ Í Ò Ð Đ Þ 5.2 Ç»  5.3 À  5.4 5.4.1 SMV» Æ Ê MODULE main VAR x: boolean; y: boolean; t: boolean; p0 : process aa(x,y,t); p1 : process bb(x,y,t); ASSIGN init(x) := 0; init(y) := 0; init(t) := 0; SPEC (AG!(p0.a=s2 & p1.b=t2)) SPEC (AG (p0.a=s1 AF p0.a=s2)) SPEC (AG ((p0.a=s1 & p1.b!=t1 & p1.b!=t2)!e[!p0.a=s2 U p1.b=t2]))

MODULE aa(x,y,t) VAR a: {s0,s1,s2,s3,s4; ASSIGN init(a) := s0; next(a) := case a=s0: s1; a=s1 & (x=0 t=0): s2; a=s2: s3; a=s3: s0; 1: a; esac; next(x) := x; next(y) := case a=s0 a=s3: 1; a=s2: 0; a=s1 & (x=0 t=0): y; 1: y; esac; next(t) := case a=s0 a=s3: 1; a=s2: t; a=s1 & (x=0 t=0): t; 1: t; esac; FAIRNESS running

MODULE bb(x,y,t) VAR ASSIGN FAIRNESS b: t0,t1,t2,t3,t4; init(b) := t0; next(b) := case esac; b=t0: t1; b=t1 & (y=0 t=1): t2; b=t2: t3; b=t3: t0; 1: b; next(y) := y; next(x) := case b=t0 b=t3: 1; b=t2: 0; b=t1 & (y=0 t=1): x; 1: x; esac; next(t) := case esac; running Ò p1 ¹ FAIRNESS b=t0 b=t3: 0; b=t2: t; b=t1 & (y=0 t=1): t; 1: t; running»¾ ¼ Ö «ÔĐÞÜ Õ p0 ¹ Ë ¹ È ¹ Ò p0 FAIRNESS FAIRNESS (x=0 t=0) running FAIRNESS a=s2 Ö «

Ê MODULE main VAR vv: boolean; v0: boolean; v1: boolean; v2: boolean; p0 : aa(v0); p1 : bb(v0,v1,v2); ASSIGN init(vv) := 1; next(vv) := (v0&v1); SPEC (AG AF(v2=0)) SPEC (AG AF(v2=1)) SPEC AF (vv=1 & AX v2=0) SPEC AF (vv=1 & AX v2=1) SPEC AG (vv=1 & AX v2=1 AX A[vv=0 U (vv=1 & AX v2=0)]) SPEC vv=1 & AG (vv=1 AX vv=0 & AX AX AX AX vv=1) MODULE aa(v0) ASSIGN init(v0) := 0; next(v0) :=!v0; MODULE bb(v0,v1,v2) ASSIGN init(v1) := 0; init(v2) := 0; next(v1) := (v0 v1)&(!v0!v1); next(v2) := ((v0&v1) v2)&(!(v0&v1)!v2); ÅÒ aa(v0) ¹ init(v0)»¾ v0 ¹ ½ Ö 6 «Ò v0 ¹ Ö 6 ¹µÉÍÑ Ø Õ¹µÉÍÑ Ö 6 ³ «ß ˹µ Ü ÒÖ 6 Ñ v0=0 vv=1 & AG (vv=1 AX vv=0 & AX AX AX AX vv=1)

5.4.2 SPIN» Æ Ê bool x,y,t; mtype = { s0,s1,s2,s3 ; mtype = { t0,t1,t2,t3 ; byte a,b; active proctype p0() { a=s0; l01: atomic {y=1; t=1; a=s1; atomic {x==0 t==0; a=s2; atomic {y=0; a=s3; goto l01; active proctype p1() { l11: b=t0; atomic{ x=1; t=0; b=t1; atomic{ y==0 t==1; b=t2; atomic{ x=0; b=t3; goto l11; Ö ¹² ÙÂ #define p0s2 a==s2 #define p1t2 b==t2!(a == s2&&b == t2) never { /*!([]! (p0s2 && p1t2 )) */ T0 init: :: ((p0s2) && (p1t2)) goto accept all :: (1) goto T0 init fi; accept all: skip ¹² ÙÂ (a == s1 a == s 2 )

#define p0s1 a==s1 #define p1t2 b==t2 never { /*!([] (p0s1 <>p0s2 )) */ T0 init: :: (! ((p0s2)) && (p0s1)) goto accept S4 :: (1) goto T0 init fi; accept S4: :: (! ((p0s2))) goto accept S4 fi; ((a == s1&&!b == t1&&!b == t2)!(!a == s2ub == t2)) ¹² ÙÂ #define p0s1 a==s1 #define p0s2 a==s2 #define p1t1 b==t1 #define p1t2 b==t2 never { /*!([]((p0s1 &&! p1t1 &&! p1t2)!(!p0s2 U p1t2))) */ T0 init: :: (! ((p0s2)) &&! ((p1t1)) &&! ((p1t2)) && (p0s1)) goto T0 S4 :: (1) goto T0 init fi; T0 S4: :: ((p1t2)) goto accept all :: (! ((p0s2))) goto T0 S4 fi; accept all: Ö skip Î ÆÙ ÆÙ (a == s0 a == s 2 ) weak fairness (a == s0 a == s 2 ) Á Î

Ê chan r = [4] of {byte; chan s = [4] of {byte; byte a; byte b; active proctype p0() { byte x; od :: atomic{ :: x=0; :: x=1; :: x=2; :: x=3; fi; r!(a+x); :: atomic{ s?a; :: a==20; break; else; fi; active proctype p1() { byte y; od :: s!b; :: atomic{ r?y; :: b+1==y; b++; :: b+1!=y; fi; Ö (a b) ĐÞÁ ÎÆÙ Å Ù (b > a) Ê ÁÅ ÄÈÊ ØÚ Ü Ñ Ðйű Þ Å Ë Ù¹ ISO-OSI Ô ½ À ÞÆ Æ Ü Ð ¹ Ñ ÐÐĐ Æ ÀÞÆ ¹À³ Ù ¹ Ô Ñ Ê Ï Å± Ú ÀÞÆ ¹ À³¹ Ê¼Ý #define true 1 #define false 0 #define M 4 #define W 2 #define QSZ 2 mtype = {ack,sync ack,sync,data chan ses to flow[2] = [QSZ] of { byte, byte ; chan flow to ses[2] = [QSZ] of { byte, byte ; chan dll to flow[2] = [QSZ] of { byte, byte ; chan flow to dll[2] = [QSZ] of { byte, byte ; Û ¹ ÊÝ

proctype fc(bit n) { bool busy[m]; bool received[m]; byte q,s,p,m; byte winw; byte type; byte I buf[m],o buf[m]; bool x; à µ Ü #define clean(buffer) s=m; :: (s>0) >s=s-1; buffer[s]=false; :: (s==0) >break; od à :: (winw<w && len(ses to flow[n])>0 && len(f low to dll[n])<qsz) > ses to flow[n]?type,x; winw=winw+1; busy[s]=true; O buf[s]=type; :: (type==sync) >flow to dll[n]!type,x; clean(busy); winw=0; :: (type==sync ack) >flow to dll[n]!type,x; clean(received); :: (type!=sync && type!=sync ack) >flow to dll[n]!type, s; s=(s+1)%m; fi µ Þ #define receive() I buf[m]=type; received[m]=true; received[(m-w+m)%m]=false #define acked(m) ((0<p-m)&&(p-m<=W)) ((0<p-m+M)&&(p-m+M<=W)) #define rereceive() :: acked(m) >flow to dll[n]!ack,m; :: else; fi () :: dll to flow[n]?type,m > :: (type!=ack && type!=sync && type!=sync ack) > :: (received[m]==false) >receive(); :: (received[m]==true) >rereceive(); fi :: (type==ack) >busy[m]=false; :: (type==sync) > :: (I buf[q]!=sync) >I buf[q]=sync; flow to ses[n]!type,m; :: (I buf[q]==sync); flow to dll[n]!sync ack,m; fi :: (type==sync ack) > :: (I buf[q]!=sync ack) >I buf[q]=sync ack; flow to ses[n]!type,m; :: (I buf[q]==sync ack); fi fi

Ê Î¹ :: (winw>0 && busy[q]==false) >winw=winw-1; q=(q+1)%m; :: (received[p]==true && len(flow to ses[n])<qsz && len(flow to dll[n])<qs Z) > flow to ses[n]!i buf[p]; flow to dll[n]!ack,p; p=(p+1)%m; :: (timeout && len(flow to dll[n])<qsz && winw >0 && busy[q ]==true) > flow to dll[n]!o buf[q],q; od fc(0) Ê fc(1) ¹ flow to dll[n] Ê dll to flow[1- n] ¹ ĐÞ Ü Û proctype datalink() { byte type, seq; :: flow to dll[0]?type,seq; :: dll to flow[1]!type,seq :: skip fi; :: flow to dll[1]?type,seq; :: dll to flow[0]!type,seq :: skip fi; od Û ¹ ¹ Ü Æ ¹ÓÊ Ü ¹Ó ¼Ü ٠ܽ Û ÊÛ ¹ Î ¹ Ó¹Û ß ¹Ó ÏÓ Ó Ü Ó Ü ¹ÁØ Ã¹ÁØ Ï Đ Ó red,white,blue ³Æ Ó red,white,blue ¹ ÔÊ ÃÓ¹Û mtype = {red,white,blue proctype test sender(bit n) { byte val; ses to flow[n]!sync,val; :: flow to ses[n]?sync ack,val >break :: timeout >ses to flow[n]!sync,val od; :: ses to flow[n]!white; :: ses to flow[n]!red >break; od; :: ses to flow[n]!white; :: ses to flow[n]!blue >break; od; :: ses to flow[n]!white; :: break; od val ű Ì val ¹ Đ ¹ Ï Ì Ó¹Û Đ

proctype test receiver(bit n) { byte val; flow to ses[n]?sync,val; ses to flow[n]!sync ack,val; :: flow to ses[n]?white,val; :: flow to ses[n]?red,val >break; :: flow to ses[n]?blue,val >assert(0); od; :: flow to ses[n]?white,val; :: flow to ses[n]?blue,val >break; :: flow to ses[n]?red,val >assert(0); od; :: flow to ses[n]?white,val; :: flow to ses[n]?red,val >assert(0); :: flow to ses[n]?blue,val >assert(0); od Ô¹ init { run datalink(); run fc(0); run fc(1); run test sender(0); run test receiver(1); Þ Đ SPIN Ù µ ¹ SPIN.4.1.2 Ù Þ Ô «8.8 Ê 900MB ²± ÒÆ µå± Ù «3.5 Ê 280MB ²± ĐÞ ÇÙ Å Đ Ó¹Û proctype test receiver(bit n) { byte type,val; flow to ses[n]?sync,val; ses to flow[n]!sync ack; :: flow to ses[n]?type,val; od; ¾ÎÙ ³ z, w, r, b ¹!([]z (zu([]w (wu(r))))) z w r test receiver:type==0 test receiver:type==white test receiver:type==red

¾ Á ¹ ¹Ó¹ÁØÄ ³Ù Ê Ê ÒÆ µå± Ù «8.5 Ê 330MB ²± 5.4.3 VERDS» Æ