/* * This model describes the interaction between ctx->notify_me * and aio_notify(). * * Author: Paolo Bonzini <pbonzini@redhat.com> * * This file is in the public domain. If you really want a license, * the WTFPL will do. * * To simulate it: * spin -p docs/aio_notify.promela * * To verify it: * spin -a docs/aio_notify.promela * gcc -O2 pan.c * ./a.out -a * * To verify it (with a bug planted in the model): * spin -a -DBUG docs/aio_notify.promela * gcc -O2 pan.c * ./a.out -a */ #define MAX 4 #define LAST (1 << (MAX - 1)) #define FINAL ((LAST << 1) - 1) bool notify_me; bool event; int req; int done; active proctype waiter() { int fetch; do :: true -> { notify_me++; if #ifndef BUG :: (req > 0) -> skip; #endif :: else -> // Wait for a nudge from the other side do :: event == 1 -> { event = 0; break; } od; fi; notify_me--; atomic { fetch = req; req = 0; } done = done | fetch; } od } active proctype notifier() { int next = 1; do :: next <= LAST -> { // generate a request req = req | next; next = next << 1; // aio_notify if :: notify_me == 1 -> event = 1; :: else -> printf("Skipped event_notifier_set\n"); skip; fi; // Test both synchronous and asynchronous delivery if :: 1 -> do :: req == 0 -> break; od; :: 1 -> skip; fi; } od; } never { /* [] done < FINAL */ accept_init: do :: done < FINAL -> skip; od; }