Abstract—SPIN is an efficient verification system for models of distributed software systems. It has been used to detect design errors in applications ranging from high-level descriptions of distributed algorithms to detailed code for controlling telephone exchanges. This paper gives an overview of the design and structure of the verifier, reviews its theoretical foundation, and gives an overview of significant practical applications. Index Terms—Formal methods, program verification, design verification, model checking, distributed systems, concurrency.

Abstract. This paper gives an overviewof the Maude 2.0 system. We emphasize the full generality with which rewriting logic and membership equational logic are supported, operational semantics issues, the new built-in modules, the more general Full Maude module algebra, the new META-LEVEL module, the LTL model checker, and newimplementation techniques yielding substantial performance improvements in rewriting modulo. We also comment on Maude’s formal tool environment and on applications. 1

Abstract. The number of installations of the Spin model checking tool is steadily increasing. There are well over two thousand installations today, divided roughly evenly over academic and industrial sites. The tool itself also continues to evolve � it has more than doubled in size, and hopefully at least equally so in functionality, since it was rst distributed in early 1991. The tool runs on most standard workstations, and starting with version 2.8 also on standard PCs. In this overview, we summarize the design principles of the tool, and review its current state. 1

We present the explicit state model checker HSF-SPIN which

The verification algorithm of SPIN is based on an explicit enumeration of a subset of the reachable state-space of a system that is obtained through the formalization of a correctness requirement as an -automaton. This -automaton restricts the state-space to precisely the subset that may contain the counter-examples to the original correctness requirement, if they exist. This method of verification conforms to the method for automata-theoretic verification outlined in [VW86]. SPIN derives

Abstract. We present MC 2, what we believe to be the first randomized, Monte Carlo algorithm for temporal-logic model checking, the classical problem of deciding whether or not a property specified in temporal logic holds of a system specification. Given a specification S of a finite-state system, an LTL (Linear Temporal Logic) formula ϕ, and parameters ɛ and δ, MC 2 takes N = ln(δ) / ln(1 − ɛ) random samples (random walks ending in a cycle, i.e lassos) from the Büchi automaton B = BS × B¬ϕ to decide if L(B) = ∅. Should a sample reveal an accepting lasso l, MC 2 returns false with l as a witness. Otherwise, it returns true and reports that with probability less than δ, pZ < ɛ, where pZ is the expectation of an accepting lasso in B. It does so in time O(N · D) and space O(D), where D is B’s recurrence diameter, using a number of samples N that is optimal to within a constant factor. Our experimental results demonstrate that MC 2 is fast, memory-efficient, and scales very well.

The fair cycle detectiou problem is at the heart of both LTL and fair CTL model checking. This paper preseuts a new distributed scalable algorithm for explicit fair cycle detection. Our method combines the simplicity of the distributiou of explicitly preseuted data structure and the features of symbolic algorithm allowing for an efficient parallelisa- tion. If a fair cycle (i.e. couuterexample) is detected, theu the algorithm produces a cycle, which is in general shorter than that produced by depth-first search based algorithms, Experimental results confirm that our approach outperforms that based ou a direct implementation of the best sequential algorithm.

The use of model checkers to solve discrete optimisation problems is appealing. A model checker can first be used to verify that the model of the problem is correct. Subsequently, the same model can be used to find an optimal solution for the problem. This paper describes how the new Promela primitives of Spin 4.0 can be applied to search e#ectively for the optimal solution. We show how Branch-and-Bound techniques can be added to the LTL property that is used to find the solution. The LTL property is dynamically changed during the verification.

For every finite model M and an LTL property #, there exists a number (the Completeness Threshold) such that if there is no counterexample to # in M of length or less, then M #. Finding this number, if it is su#ciently small, o#ers a practical method for making Bounded Model Checking complete. We describe how to compute an over-approximation to for a general LTL property using Buchi automata, following the Vardi-Wolper LTL model checking framework.

2The bulk of the contribution of the first author to this work was done when he was on leave from UCLA and doing a summer job at Bell Laboratories.