aio_notify.promela

/*
 * This model describes the interaction between ctx->notify_me
 * and aio_notify().
 *
 * Author: Paolo Bonzini <pbonzini@redhat.com>
 *
 * This file is in the public domain.  If you really want a license,
 * the WTFPL will do.
 *
 * To simulate it:
 *     spin -p docs/aio_notify.promela
 *
 * To verify it:
 *     spin -a docs/aio_notify.promela
 *     gcc -O2 pan.c
 *     ./a.out -a
 *
 * To verify it (with a bug planted in the model):
 *     spin -a -DBUG docs/aio_notify.promela
 *     gcc -O2 pan.c
 *     ./a.out -a
 */

#define MAX   4
#define LAST  (1 << (MAX - 1))
#define FINAL ((LAST << 1) - 1)

bool notify_me;
bool event;

int req;
int done;

active proctype waiter()
{
    int fetch;

    do
        :: true -> {
            notify_me++;

            if
#ifndef BUG
                :: (req > 0) -> skip;
#endif
                :: else ->
                    // Wait for a nudge from the other side
                    do
                        :: event == 1 -> { event = 0; break; }
                    od;
            fi;

            notify_me--;

            atomic { fetch = req; req = 0; }
            done = done | fetch;
        }
    od
}

active proctype notifier()
{
    int next = 1;

    do
        :: next <= LAST -> {
            // generate a request
            req = req | next;
            next = next << 1;

            // aio_notify
            if
                :: notify_me == 1 -> event = 1;
                :: else           -> printf("Skipped event_notifier_set\n"); skip;
            fi;

            // Test both synchronous and asynchronous delivery
            if
                :: 1 -> do
                            :: req == 0 -> break;
                        od;
                :: 1 -> skip;
            fi;
        }
    od;
}

never { /* [] done < FINAL */
accept_init:
        do
        :: done < FINAL -> skip;
        od;
}