我正在使用如下代码在验证模式下运行旋转。名为“从不”的函数出现问题。在执行时,它给了我一个错误,函数 inc()、dec() 和 reset() 从未完成。但是如果我添加一个循环,效果很好。根据文档,“从不”检查每一步的变量。那么,为什么它在没有循环的情况下不起作用?
int x=0
proctype Inc(){
do
::true ->
if
::x<10->x=x+1
fi
od
}
proctype Dec(){
do
::true ->
if
::x>0->x=x-1
fi
od
}
proctype Reset(){
do
::true ->
if
::x==10->x=0
fi
od
}
never { // if I need this to work, i have to add
To_Init: // this line
if
:: (x<0) || (10<x) -> goto accept
:: else -> goto To_Init // and that line
fi;
accept:
}
init{
run Inc();
run Dec();
run Reset();
}
“从不”阻止,这给了我一个警告
never {
if
:: (x<0) || (10<x) -> goto accept
fi;
accept:
}
实际上,那不是错误,而是一种警告,在 proctype Inc、Dec、Reset、Init 中显示未达到。完整的警告日志如下。
warning: for p.o. reduction to be valid the never claim must be stutter-invariant
(never claims generated from LTL formulae are stutter-invariant)
(Spin Version 6.2.7 — 2 March 2014)
+ Partial Order Reduction
Full statespace search for:
never claim + (never_0)
assertion violations + (if within scope of claim)
acceptance cycles + (fairness disabled)
invalid end states - (disabled by never claim)
State-vector 28 byte, depth reached 0, errors: 0
1 states, stored
0 states, matched
1 transitions (= stored+matched)
0 atomic steps
hash conflicts: 0 (resolved)
Stats on memory usage (in Megabytes):
0.000 equivalent memory usage for states (stored*(State-vector + overhead))
0.289 actual memory usage for states
128.000 memory used for hash table (-w24)
0.534 memory used for DFS stack (-m10000)
128.730 total actual memory usage
unreached in proctype Inc
l31never-no-cycle:6, state 3, "x = (x+1)"
l31never-no-cycle:6, state 4, "((x<10))"
l31never-no-cycle:4, state 6, "(1)"
l31never-no-cycle:9, state 9, "-end-"
(4 of 9 states)
unreached in proctype Dec
l31never-no-cycle:15, state 3, "x = (x-1)"
l31never-no-cycle:15, state 4, "((x>0))"
l31never-no-cycle:13, state 6, "(1)"
l31never-no-cycle:18, state 9, "-end-"
(4 of 9 states)
unreached in proctype Reset
l31never-no-cycle:24, state 3, "x = 0"
l31never-no-cycle:24, state 4, "((x==10))"
l31never-no-cycle:22, state 6, "(1)"
l31never-no-cycle:27, state 9, "-end-"
(4 of 9 states)
unreached in claim never_0
l31never-no-cycle:35, state 6, "-end-"
(1 of 6 states)
unreached in init
l31never-no-cycle:39, state 2, "(run Dec())"
l31never-no-cycle:40, state 3, "(run Reset())"
l31never-no-cycle:41, state 4, "-end-"
(3 of 4 states)
阿never1)中检测到“接受”周期,或2)如权利要求从未完成:如权利要求在两个案例报告错误。第三种可能性是,如果never索赔不能采取措施;这第三种可能性是您的代码产生的可能性
当您的索赔是:
never {
if
:: (x<0) || (10<x) -> goto accept
fi;
accept:
}
初始状态没有可能的步骤。也就是说,never声明开始状态正好在if;之前。从x==0没有可能的下一步的状态。
当never索赔中没有可能的步骤时,验证者将回溯到可以采取步骤的状态。在你的情况下,没有地方可以备份并且你的验证结束,因为没有什么可做的了。然后验证器注意到很多代码没有执行(因为,事实上,在你的模型中没有执行任何东西)。
由于所有未执行的代码,您可以看出这不是您所期望的。但是是不是报错了。
对于您随后的案例,您添加了一个else. 在这种情况下,验证者可以在never索赔中采取一个步骤,因此您的验证会继续进行。