
Verifying Multi-threaded Software with Spin - luu
http://spinroot.com/spin/whatispin.html
======
jwise0
When I was a TA for my undergrad operating systems class, I gave a lecture
once on using SPIN for basic verification of a handful of mutex
implementations, and proving a handful of properties about them. If you want a
basic conceptual primer for Spin, I recommend checking it out -- here's a PDF
of the slide deck:

[http://www.cs.cmu.edu/~410-s11/lectures/L38_SPIN.pdf](http://www.cs.cmu.edu/~410-s11/lectures/L38_SPIN.pdf)

And here's a set of resources:

[http://www.cs.cmu.edu/~410-s09/lectures/L40_SPIN/spinfiles/](http://www.cs.cmu.edu/~410-s09/lectures/L40_SPIN/spinfiles/)

Linked to from the above is another good resource from people who have used
Spin -- a formal verification of Linux's RCU design, using Spin:

[http://lwn.net/Articles/243851/](http://lwn.net/Articles/243851/)

------
phunge
This (or some other tool like it) is a great skill to have if you deal with
concurrent datastructures. I used it to deal with a lock-free multithreaded
ringbuffer at a previous job and it made my life much easier. The Spin Book is
a good read.

------
atsaloli
More on Dr. Holzmann's (author of SPIN) work and his setup here:
[https://news.ycombinator.com/item?id=6950440](https://news.ycombinator.com/item?id=6950440)

------
tbrock
Is there a good reason to use this over clang's thread sanitizer?

~~~
phunge
Thread sanitizer is a tool which can detect races. Spin is a tool which can
prove an algorithm (or a simplified specification of it) is race-free.

You start with an algorithm involving concurrent operations. Spin searches
across all possible interleavings of those operations -- basically like
running your program while simulating every possible ordering of execution.
Over all those simulations, it verify invariants (that you choose). So it's
like a proof agent -- if your proof succeeds you get a much stronger guarantee
that your algorithm behaves as you believe it does.

