Comparison of SPIN and VIS for protocol verification by Peng, Hong et al.
Software Tools for Technology Transfer manuscript No.
(will be inserted by the editor)
Comparison of SPIN and VIS for Protocol Verication
Hong Peng, Soene Tahar and Ferhat Khendek
Dept. of Electrical & Computer Engineering, Concordia University
1455 de Maisonneuve W., Montreal, Quebec, H3G 1M8 Canada
E-mail: fpengh,tahar,khendekg@ece.concordia.ca
The date of receipt and acceptance will be inserted by the editor
Key words: SPIN, VIS, Model Checking, Formal Ver-
ication, Protocols
Abstract. In this paper, we compare and contrast SPIN
and VIS, two widely used formal verication tools. In
particular, we devote a special attention to the eÆciency
of these tools for the verication of communications pro-
tocols that can be implemented either in software or
hardware. As a basis of our comparison, we formally de-
scribe and verify the Asynchronous Transfer Mode Ring
(ATMR) medium access protocol using SPIN and its
hardware model using VIS. We believe that this study
is of particular interest as more and more protocols, like
ATM protocols, are implemented in hardware to match
high speed requirements.
1 Introduction
For the last two decades, verication techniques have
been applied successfully in software and hardware en-
gineering. Various techniques have been proposed in the
literature [6]. They range from pure simulation to model
checking. The widely used simulation techniques can-
not cover all design errors, especially for large systems.
Like testing techniques, they are used to detect errors,
but not to prove the correctness of the design. During
the past decade, model checking techniques have estab-
lished themselves as signicant means for design vali-
dation, namely a given design is validated against spe-
cic and general properties. Two dierent elds of model
checking have arisen: formal verication of software pro-
tocols and software systems, like SPIN [9], and formal
verication of digital hardware, like VIS [2].
The SPIN software verication tool, developed by G.
J. Holzmann at Bell Labs in 1989, is based on an inter-
leaving model of concurrency, in which unlike hardware,
2 Hong Peng, Soene Tahar and Ferhat Khendek: Comparison of SPIN and VIS for Protocol Verication
only one component of the system state is allowed to
change at a time. SPIN checks if the protocol specica-
tion is logically consistent. It reports errors in the pro-
tocol such as deadlock, livelock, or unreachable code. It
also validates properties specied as linear time tempo-
ral logic (LTL) [8] formulas.
The VIS (Verication Interacting with Synthesis) tool,
developed in 1995 by University of California at Berkeley
and University of Colorado at Boulder, is based on syn-
chronous models where any number of components can
change state at a time. VIS integrates formal verication,
simulation, and synthesis of nite-state hardware sys-
tems. It uses the Verilog hardware description language
(HDL) as its input language. VIS supports branching
time temporal logic (CTL) [8] symbolic model checking
with fairness constrains [13].
The aim of this paper is to compare and contrast
the SPIN (XSPIN version 3.3.3) and VIS (VIS release
1.3) tools using a software and a hardware model of the
ATMR protocol [12] as a case study. We developed the
software and hardware models independently and for-
mally veried them in SPIN and VIS, respectively. Since
the modeling language of SPIN and VIS are dierent, we
cannot say explicitly that the two veried models, the
VIS and the SPIN one, are exactly the same with respect
to their semantics. However, we did follow the modeling
and coding style of each of these tools. To expose the ad-
vantages and disadvantages of these two types of tools,












Fig. 1. ATMR structure with 5 nodes
ory usage, and state space generated. Furthermore, we
describe the modeling techniques of asynchronous pro-
tocols in SPIN and VIS, and also analyze the source of
the complexity in the verication.
The rest of the paper is structured as follows. We
begin with an overview of the ATMR protocol (Section
2). We then describe the ATMR specication and ver-
ication in SPIN (Section 3) and VIS (Section 4), re-
spectively. Finally, we conclude the paper with the com-
parison and contrast of SPIN and VIS (Section 5). The
PROMELA and Verilog codes of the ATMR protocol are
provided in the Appendix.
2 ATM Ring Protocol
The Asynchronous Transfer Mode Ring (ATMR) proto-
col [12] is an ISO standard based on a high speed shared
medium connecting a number of access nodes by chan-
nels in a ring topology. Figure 1 gives an example ring
with ve nodes connected via a channel transferring cells
between the nodes. For controlling access to this type of

















Fig. 2. Format of an ATMR cell
shared medium, the ring is rst initialized with a xed
number of ATM cells continuously circulating around
the channel from one node to another. Within each ac-
cess node there is an access unit which performs both the
physical layer convergence function and the access con-
trol function. Access to the ring is requested by the client
and controlled by a combination of a window mechanism
and a reset procedure. The client can issue a sending re-
quest to the access unit and receive a data cell. The
window mechanism limits the number of cells a node
can transmit at a time, called the \credits" of this node.
The reset procedure reinitializes the window in all ac-
cess units to a predene credit value. The format of an
ATMR cell is shown in Figure 2.
It contains an access control eld (ACF), which in-
cludes a reset bit, a monitor bit and a busy address.

















Fig. 3. FSM of an ATMR entity
its own address in the busy address eld. The ATM cell
is routed by using a ring virtual channel ID (RVCI) in
the cell header.
The state transition diagram of the ATMR is shown
in Figure 3, where \?" means receiving a message. The
protocol entity of an access unit begins from an IDLE
state. When the access unit has cells queued for trans-
mission, it enters a SEND state and sends them in empty
slots received at the ring interface with the address of
the destination in the RVCI eld of the cell header.
The RVCI eld in the header of all cells received at the
ring interface of each node is checked and, if the cell
is addressed to this node, the cell contents are copied
and passed to the appropriate convergence sublayer. The
RVCI eld is then set to zero, which indicates an empty
cell, and the cell is relayed to the next node in the ring. If
a match is not found, then, this cell remains unchanged.
4 Hong Peng, Soene Tahar and Ferhat Khendek: Comparison of SPIN and VIS for Protocol Verication
Transmissions on the ring occur in cycles during which
each access unit is allocated a xed window size credit.
This credit indicates the number of cells the access unit
can transmit in this cycle before issuing or receiving a re-
set cell from the ring interface. A window credit counter
is maintained by each access unit. Whenever this value is
less than zero, the protocol entity enters a WAIT state
to wait for a new credit. This value is initialized to the
window size credit each time the ring is reset, namely
the protocol entity is in a RESET state and the credit is
decremented by one each time the access unit transmits
a cell from its transmission queue. This mechanism is fol-
lowed by all access units in the ring and hence eventually
all units become inactive and the ow of cells around the
ring ceases.
To reinitialize the transmission of the cells, an ac-
tive access unit always overwrites its own address in the
busy address eld in the head of all cells passing the
ring interface. This way, if an active access node receives
a cell with its own address in the busy address eld,
it concludes that other nodes are inactive. Then after
completely sending any remaining queued data from the
higher layer, it creates a reset cell by setting the re-
set bit in the header of the next cell passing the ring
interface. The reset cell circulates around the ring and
causes all other access units to reinitialize their window
credit counters. Once reinitialized, any access unit hav-
ing data queued for transmission regains the active state
and restarts sending cells.
The ATMR protocol was rst modeled and checked
by Charpentier and Padiou [4] who used UNITY to con-
duct a pencil-and-paper verication of it. Their valida-
tion abstracts away from any implementations, be it in
software or in hardware. In next sections, we describe
the modeling and verication of the ATMR protocol in
SPIN and VIS, respectively.
3 Verication Using SPIN
SPIN [9] targets the verication of software systems and
has been used in the past to trace design errors in dis-
tributed systems design, such as operating systems, data
communications protocols, switching systems, concur-
rent algorithms, railway signaling protocols, etc. [10,3].
The tool checks the logical consistency of a protocol
specication and reports design errors like deadlock, live-
lock, unreachable code and so on.
SPIN uses full LTL model checking, supporting all
correctness requirements expressible in linear time tem-
poral logic. It can also be used as an eÆcient on-the-
y verier for more basic safety and liveness properties.
Many of the latter properties can be expressed, and ver-
ied, without the use of LTL though. Correctness prop-
erties can be specied as system or process invariants
(using assertions), or as general linear temporal logic re-
quirements (LTL), either directly in the syntax of next-
time free LTL, or indirectly as Buchi Automata (called
Hong Peng, Soene Tahar and Ferhat Khendek: Comparison of SPIN and VIS for Protocol Verication 5
never claims). If a property is invalid, an error trace is
provided by the tool.
SPIN uses PROMELA (Process Meta Language) [9]
as input modeling language. PROMELA allows abstrac-
tions in the protocol description by neglecting details
that are irrelevant to process interaction. The intended
use of SPIN is to verify fractions of process behavior,
which for one reason or another are considered suspect.
The relevant behavior is modeled in PROMELA and ver-
ied.
3.1 ATMR Specication
In order to test the capability of the SPIN tool, we tried
to build a model as large as possible and let the tool do
the reduction work. In this way, the verication engine
works on its up-limit load, so that we can test the per-
formance of the engine in a real situation. As an ATMR
protocol can have n nodes and p channels [12], we will
perform our verication on the model shown in Figure 1
including 3, 4, 5, and 6 ATMR nodes and a channel size
of 6, 8, 10, and 12 cells. The channel length between two
neighboring nodes is two cells. We realized through ex-
perimentation that the ve node model is the maximum
model size that can make a comparison between SPIN
and VIS within the memory available in the machine we
used (Sun Sparc with 2 GB memory). However, for the
purpose of comparison, we also put the experimental re-
sults of the ATMR model with three, four, ve, and six
nodes.
In the SPIN ATMR model, each node is specied as
a process
proctype Atmr(byte ID; chan in, out)
where ID is the identication of the present node; in is
the input channel and out is the output channel of the
node. Since the nodes are in a ring form, the input chan-
nel of node B, for instance, will be the output channel
of node A (Figure 1).
Since SPIN's strength is in proving properties of in-
teractions in a distributed system, but not in proving
things about local computation or data dependency, we
can try to make the model more general, more abstract.
Namely, we will put only the behavior between the ac-
cess unit and the channel into the model. Besides, we
assume that the queue between the client and the ac-
cess unit will be automatically relled once it is empty.
Thus, we can have a simple model while not aecting
the behavior of the access unit.
An additional way of reducing the complexity is to
remove everything that is not related to the property we
are trying to prove, such as redundant data. For exam-
ple, due to state space explosion, we did not succeed in
verifying the whole data-path of the ATMR model. In
order to simplify this latter, we abstract away all the in-
formation which will not aect the behavior of the ring
accessing scheme, namely the HCS eld, the adaption
layer eld and the user information eld. The reduced
cell format on which we based our verication is shown
in Figure 4, where only 5 bits ACF and 3 bits RVCI

















Fig. 4. Simplied Cell Format
will be used (non-shaded boxes in Figure 4). Because
we kept all the access control information in the header
format, namely the ACF and RVCI elds, the control
behavior of ATMR with simplied cell format is exactly
the same as that of the original one. After the reduction,





where Busy Add is the busy address and Dest Add is
the destination address. MSDU struct is the type de-
nition of the cell. The cells are classied into DataCell,
which contains user data, EmptyCell, which is available
for loading, and ResetCell, which is to reset the credit of
the access units in the ring.
Asynchronous channels are a signicant source of
complexity in the verication since there are lots of inter-
leavings in the channel. Generally, the exclusive read/write
option provided by SPIN is a good partial order re-
duction approach [11], which can reduce the verication
CPU time.
Besides, in order to reduce the interleavings in the
model, one of the possible solutions is to make as many
statements as possible become atomic. For example, in









We can also reduce the interleavings of the model
signicantly by making atomic each state transition. For
example, instead of
:: (State == state_name)->
other_statements
we can use
:: atomic{(State == state_name) ->
other_statements}
The exhaustive experiments we conducted show that the
state space can be reduced for at least one order of mag-
nitude in this way. However, in this case, the PROMELA
model becomes synchronous which is not our intention.
In the sequel, we did not use these atomic statements.
The PROMELA ATMR model is shown in Appendix
A, where ID is the identier of this unit, and in and
out are the incoming and outgoing channels of this unit,
respectively. There are four states, Idle, Send, Reset, and
Hong Peng, Soene Tahar and Ferhat Khendek: Comparison of SPIN and VIS for Protocol Verication 7
WaitCredit. In each state, the unit can receive DataCell,
EmptyCell, ResetCell.
An advantage of SPIN is that we can easily check
deadlock using timeout statement in the model. Since
in the deadlock status, the state transition stops, the
timeout statement in a state can be easily checked out.
3.2 ATMR Verication
Once the ATMRmodel established, we validate it against
a set of basic consistency properties. For illustration pur-
poses, we present here six properties including liveness
and safety. In the following descriptions, \[]", \<>",
\==" and \!" mean \always", \eventually", \logic equal-
ity" and \imply", respectively.
Property 1: Once an access unit exhausts its window
size credit, the credit will eventually be renewed.
[]((credit == 0)!<> (credit == 6))
where credit stands for the number of credits which is
being held by an access unit and 6 is the preset maxi-
mum value.
Property 2: A client's request will be eventually ac-
knowledged.
[]((req == 1)!<> (ack == 1))
where req is a cell sending request signal from a client to
an access unit. If the requested cell has been sent out,
the access unit will return an ack signal to the client.
Property 3: An access unit will eventually exit the RE-
SET state and enter the SEND state.
[]((state == RESET )!<> (state == SEND))
where state stands for the current state of an access unit.
Property 4: An access unit will eventually exhaust its
window size credit.
[]((credit = 6)!<> (credit == 0))
here, 6 is the preset maximum credit value. We expect
that all the credits will be consumed during the sending
procedure.
Property 5: The number of reset cells in the ring cannot
exceed the number of access units.
[](NumofRst < NumofUnit)
where NumofRst is the number of reset cells in the ring
and NumofUnit is the number of access units.
Property 6: In the SEND state, a given station cannot
send more cells than allowed by its credits.
[]((state == SEND)! (Outmsgs <= 6))
here, Outmsgs is the number of cells sent by a given
station in the SEND state.
The verication of the above six properties was per-
formed on a Sun Sparc workstation with 2 GB of mem-
ory. We used two kinds of reachability analysis methods
provided by the SPIN tool. One is the exhaustive explo-
ration, the other is the supertrace/bitstate exploration
which is an approximate approach, which can only pro-
vide maximum coverage search. In the ATMR verica-
tion, we rst tried the exhaustive exploration. But this
approach could not nish the ATMR verication due to
an out of memory error, even when we applied the model
compress techniques (-DCOLLAPSE, -DMA).
8 Hong Peng, Soene Tahar and Ferhat Khendek: Comparison of SPIN and VIS for Protocol Verication
3 nodes 4 nodes
Property CPU Time (s) Memory (MB) States CPU Time (s) Memory (MB) States
P1 7.5 46.084 1335725 359.8 89.802 6.61796e6
P2 19.7 45.982 340879 941 87.345 1.56626e7
P3 5.2 46.084 122671 271.6 90.007 4.648e6
P4 18.6 46.084 390387 828.9 73.521 1.5796e7
P5 5.5 46.084 92322 236.6 89.086 4.3443e6
P6 3.2 44.982 101015 167.3 45.187 5.95003e6
5 nodes 6 nodes
Property CPU Time (s) Memory (MB) States CPU Time (s) Memory (MB) States
P1 1632.5 127.225 3.26899e7 3261.4 1192.077 4.36862e7
P2 2273.6 264.906 3.41975e7 2883 264.19 4.98607e7
P3 2218.1 962.66 3.22636e7 2842.7 258.998 3.61413e7
P4 1255.3 258.25 2.9685e7 2783.9 298.487 3.69046e7
P5 2187.5 1441.086 4.32634e7 - - -
P6 1313.8 584.864 3.33867e7 2765 1729.955 4.53676e7
Table 1. ATMR verication with SPIN
In contrast, the supertrace/bitstate (bit-state hash-
ing) could nish the verication of the properties. Al-
though the coverage is not one hundred percent, this
latter still can give us some condence about the cor-
rectness of the model. The supertrace/bitstate model
checking experimental results are reported in Table 1,
including CPU time in seconds, memory usage in MB
and the number of states stored. Graphic illustrations of
the experimental results are plotted in Figures 5, 6, and
7.
From the graphic illustrations, we found that the in-
crement of the state space is becoming steady when the
model becomes larger, and so does the CPU time. This
means that SPIN can handle larger models, while, aect-
ing the state coverage (i.e., the number of visited stated
relative to the number of actual states), however. Gen-
erally, For a hash-factor between 10 and 100, SPIN gives
an expected coverage of 98% on average.
Bit-state hashing is an approximate approach. On
the other hand, when compared with classical random
simulation techniques, it is always better to use bit-state
hashing because the coverage is usually much better than
that achieved with random simulation. During the ver-
ication, we found that the more nodes are included in
the ATMR model, the less is the coverage. In the 3-node
verication, the coverage is greater than 99:9%, but in
the 6-node verication, the coverage is less than 98%.
There are some variance in the memory usage, es-
pecially in the 6-node model for Property 3. We think
there may be two reasons. One is that we are using the
Hong Peng, Soene Tahar and Ferhat Khendek: Comparison of SPIN and VIS for Protocol Verication 9





















Fig. 5. SPIN verication CPU time
























Fig. 6. SPIN verication memory usage
approximate method. This method is actually a \ran-
dom" approach. The other is that we are working in a
multi-user operating system. The variance in the system
load will aect the experimental results.
4 Verication Using VIS
VIS [2] is a verication and synthesis tool for nite-state
hardware systems, developed at University of California
at Berkeley and University of Colorado at Boulder. It
uses the Verilog HDL as the input language and supports



























Fig. 7. SPIN verication state space
CTL model checking with fairness constrains. Its funda-
mental data structure is a multi-level network of latches
and combinational gates. The variables of a network are
multi-valued, and logic functions over these variables are
represented by an extension of BDDs: multi-valued de-
cision diagrams.
VIS operates on the intermediate format BLIF-MV
[5]. It includes a compiler from Verilog to BLIF-MV
and extracts a set of interacting FSMs that preserves
the behavior of the Verilog program dened in terms of
simulated results. Through the interacting FSMs, VIS
performs CTL model checking under Buchi fairness con-
straints, i.e., sets of states that must be visited innitely
often. The language of a design is given by sequences
over the set of reachable states that do not violate the
fairness constraint. If model checking fails, VIS reports
the failure with a counter-example.







Fig. 8. Modied ATMR ring structure
Besides model checking, VIS supports equivalence
checking, cycle-based simulation, and synthesis functions,
such as state minimization and state encoding.
4.1 ATMR Specication
Since VIS is built on synchronous models, it is impossible
to directly describe the original asynchronous ATMR in
VIS, e.g., how to describe the cell transmission between
two access units using synchronous Verilog. We hence
need to build a pseudo-asynchronous ATMR protocol
to simulate the ATMR protocol in the synchronous VIS
environment. There are many methods to simulate an
asynchronous system in a synchronous environment [1].
Here, because we only request that cell transmission be
asynchronous and the module itself be synchronous, we
propose to simply add a module channel in the Verilog
specication. This channel model will play the role of a
queue between two ATMR nodes (see Figure 8).
All the cells sent or received by the access unit will
hence be queued in the channel module. When the ac-
cess unit wants to read a cell from the channel, it actually
reads the cell from the head of the queue. If the destina-
tion is the current node, the cell will be processed in this
access unit. Otherwise, the cell will be forwarded to the
next node via the channel module. This way, the sending
and the receiving processes within the ring can remain
asynchronous. The channel is dened as follows.
channel (ch_out, ch_in, ID);
where ch out and ch in are wired connections to and
from the nodes; ID is the identication of the channel.
In this case, the access unit becomes.
mac_ctrl_node (req, ack, ch_out, ch_in, ID);
where req is the cell request signal from the client; ack
is the acknowledgment; ch out and ch in are the output
and input channels for each node; ID is the identica-
tion of the node. Here, we do not put the clock signal
because we use the implicit clock source provided by VIS.
The req/ack pair follows the same rule as we dened in
the SPIN modeling, namely once ack becomes true, req
will be true in the next clock. Because Verilog instances
are synchronized by the clock, we have to put the req
generator in another instance and put a wire connection
between these two instances.
Except above features, the ATMR model (Figure 9)
we veried in VIS is very similar to that we used in
SPIN. The cell format is here again a simplied one,
containing only the ACF and RVCI elds (Figure 4).






















Fig. 9. Modied ATMR ring structure
Note that given the specication nature in SPIN and
VIS, all components in VIS are true concurrent, while
they are interleaved in SPIN.
The Verilog pseudo-asynchronous ATMR model is
given in Appendix B, where clk is the system clock; req
and ack are the signals from/to the clients; out cell and
in cell are the output/input cells of this unit; id is the
identier of this unit. The states and the cell types are
the same as that of SPIN model. The only dierence is
that because Verilog does not have chan (channel) data
type and mtype (message type) variable, we have to ex-
amine the data bit in the cell format explicitly.
4.2 ATMR Verication
We veried the same properties as in the SPIN study.
The only dierence is that, in VIS, properties will be ex-
pressed in CTL and not in LTL. We present here the six
liveness and safety properties of Section 3.2 in CTL. In
the following descriptions, \=", \!" and \ " mean log-
ical \ equality", \implication" and \and", respectively.
\AG" and \AF" mean \all paths in all states" and \all
paths in future states", respectively.
Property 1: Once an access unit exhausts its window
size credits, the credits will eventually be renewed.
AG(((credit[2] = 0)  (credit[1] = 0) 
(credit[0] = 0))! AF (credit[2] = 1) (credit[1] = 1)
credit[0] = 0));
where credit is composed of three bits: credit[2], credit[1]
and credit[0].
Property 2: A client's request will eventually be ac-
knowledged.
AG((req = 1)! AF (ack = 1));
Property 3: An access unit will eventually exit the RE-
SET state and enter the SEND state (see Figure 4).
AG((state = RESET )! AF (state = SEND));
Property 4: An access unit will eventually exhaust its
window size credit.
AG(((credit[2] = 1)  (credit[1] = 1)
(credit[0] = 0))! AF ((credit[2] = 0)  (credit[1] = 0)
(credit[0] = 0)));
In this property, we expect that all the credits will be
consumed during the sending procedure.
Property 5: The number of reset cells in the ring cannot
exceed the number of access units.
AG(NumofRst < NumofUnit);
In this property, NumofUnit is set to the number of ac-
cess units in the verication, i.e., 3, 4, 5, 6, respectively.
12 Hong Peng, Soene Tahar and Ferhat Khendek: Comparison of SPIN and VIS for Protocol Verication
Property 6: At SEND state, a given station cannot
send more cells than allowed by its credits.
AG((state == SEND)! (Outmsgs <= 6))
here, Outmsgs is the number of cells which a given sta-
tion sends at the SEND state.
The experimental results of the CTL model checking
obtained in VIS are reported in Table 2, including CPU
time in seconds, memory usage in MB and the number
of BDD nodes allocated. The graphical representations
are given in Figures 10, 11, and 12. These experiments
were conducted on the same machine as the SPIN ver-
ication. During the verication, we used the advanced
ordering, window and sift [2] to reduce the BDD/MDD
size. VIS also provides a cone of inuence model reduc-
tion [7] technique for invariant properties. However, in
the verication of liveness properties, this technique can-
not be applied. Besides, VIS provides a limited abstrac-
tion mechanism, namely the user must explicitly specify
which signal in the model can be abstracted in one spe-
cic property verication. This technique, however, can
only be used in a fairly simple situation and cannot be
applied in our case. Since the modeling language of SPIN
and VIS are dierent, we cannot say explicitly that the
two veried models, the PROMELA one and the Verilog
one, are exactly the same with respect to their semantics.
However, what we did is trying to follow the modeling
methods and coding styles of Verilog and PROMELA,
respectively. We also tried to keep these two models to
their minimum size in either tool, in order to be able to
























Fig. 10. VIS verication CPU time






















Fig. 11. VIS verication memory usage
compare the eÆciency of SPIN and VIS in the verica-
tion of interleaving and concurrent models, respectively.
The VIS verication approach is not directly scalable
to large designs due to state space explosion. From the
verication results, we see that in the 3,4,5-node model,
the verication can be nished. However, the state space
blows up quickly with respect to the model size. In the
verication of the 6-node model, only Property 2 can
be nished. The other properties fail short of memory.
Hong Peng, Soene Tahar and Ferhat Khendek: Comparison of SPIN and VIS for Protocol Verication 13
3 nodes 4 nodes
Property CPU Time (s) Memory (MB) States CPU Time (s) Memory (MB) States
P1 57 13.59 1513196 4290 26 680963412
P2 4.6 10.04 318106 10.1 11.85 732167
P3 6.3 11.91 528411 1962.1 201.69 346168207
P4 25.6 13.72 1166100 467.7 19.99 83736894
P5 4.1 9.87 308435 8.1 11.72 550583
P6 4.8 9.98 314168 9.6 11.66 565248
5 nodes 6 nodes
Property CPU Time (s) Memory (MB) States CPU Time (s) Memory (MB) States
P1 19640.7 124.49 1811363276 - - -
P2 31 13.79 3920178 79324.5 844.01 3947015525
P3 20146.9 118.98 1829837953 - - -
P4 11372.3 105.04 1152672565 - - -
P5 14734.3 289.57 1231510174 - - -
P6 24.2 13.77 2492626 70920.1 752.69 2606471216
Table 2. ATMR verication with VIS




























Fig. 12. VIS verication state space
There are two reasons for the state space explosion. One
is the introduction of the channel module which is com-
posed of 19 latches. The other is the circular dependency
of the nodes in the ring. To solve this problem, we believe
that the data complexity must be decreased by more ef-
cient abstraction and reduction techniques. Finally, for
small models (less than 6 node), we found out that the
memory usage in VIS is more eÆcient than SPIN since
VIS can nish an exhaustive search.
5 Conclusions
In this paper, we formally veried the asynchronous ATMR
protocol in both SPIN and VIS. Generally, when a pro-
tocol is implemented in hardware, it cannot be handled
only by a software (protocol) verication tool, like SPIN,
since most of these tools are based on an interleaving
current model and cannot reect the true concurrency
aspects of a hardware implementation. A verication in
VIS leaves us, however, with the obligation of simulating
an asynchronous protocol in a synchronous environment.
14 Hong Peng, Soene Tahar and Ferhat Khendek: Comparison of SPIN and VIS for Protocol Verication
Feature SPIN VIS
Target system Software Hardware
Basic model Interleaving model Synchronous model
Property language LTL CTL
Specication language PROMELA Verilog
Verif. of asynch. protocol Yes Additional channel module
CPU time usage Faster Slower
Main memory usage Larger Smaller
Detect dead-lock, live-lock, etc. Yes Indirectly via temporal formulas
Graphic User Interface Yes No
Table 3. Comparison of SPIN and VIS
Because of the inherent weakness of model checking,
both SPIN and VIS are not directly scalable to large
designs due to state space explosion. Thus, it is impor-
tant to nd techniques that can be used in conjunction
with model checking tools like SPIN and VIS to extend
the size of the systems that can be veried. In this pa-
per, we used a data abstraction approach to reduce the
model of the ATMR protocol for both the SPIN and VIS
verications.
Unlike VIS, SPIN is based on interleaving models,
and hence runs generally faster than VIS because each
state update is a simpler operation, being restricted to
one component only. Comparing the two sets of veri-
cation results, we can nd generally the verication in
SPIN is faster. For example, in the 3-node model veri-
cation, the verications of Properties 1, 3, 4 and 6 in
SPIN are faster than those in VIS. Although the ap-
proximate technique used in the SPIN verication may
contribute to this dierence, we do not think this is the
major factor because the SPIN coverages of the 3-node
model properties are greater than 99.9 percent. From
this point of view, it is a disadvantage for VIS not pro-
viding an easy-to-use approximate technique. In SPIN,
one possible way to reduce the interleavings is to make
the statements atomic if these statements can be syn-
chronous. Experiments showed that in this way the state
space can be reduced for at least one order of magnitude.
SPIN uses explicit state enumeration while VIS uses
implicit state enumeration (symbolic model checking).
Generally, VIS can use the memory more eÆciently. From
our experiments, we found that VIS can nish the ex-
haustive search in the 3,4, and 5-node models. The on-
the-y approach in SPIN does not show advantages be-
cause the model is large and the properties are global.
Since both SPIN and VIS are not scalable to large de-
signs, model reduction techniques are very important for
verication. Both tools provide model reduction options,
namely partial order and cone of inuence, respectively.
Partial order reduction can only be used in the inter-
leaving model and is not feasible in a tool like VIS. The
Hong Peng, Soene Tahar and Ferhat Khendek: Comparison of SPIN and VIS for Protocol Verication 15
model reduction techniques in VIS are limited and need
a lot of human interaction.
Another weakness in VIS is that it cannot directly re-
port deadlocks, livelock and unreachable code. We have
to express these properties with temporal formulas. For
example, a deadlock, is expressed as: \Sender is not in
send state and receiver is not in receiving state and there
is at least one cell in the channel." Generally, this prop-
erty is diÆcult to specify in CTL. In SPIN, a deadlock
can be easily found using a timeout statement.
Finally, two practical features of these tools are worth
mentioning. Namely, while VIS has a Verilog front-end
allowing industrial designs to be imported and veried,
SPIN comes with a graphic user's interface which greatly
eases the use of the tool compared to VIS.
A summary of the main comparison mentioned above
and throughout the paper is given in Table 3.
Acknowledgments
This work is partially supported by a Concordia gradu-
ate student scholarship and NSERC research grants no.
OGP0194302 and no. OGP0194234.
References
1. Rajeev Alur and Thomas A. Henzinger. Reactive mod-
ules. Formal Methods in System Design: An Interna-
tional Journal, 15(1):7{48, July 1999.
2. R. K. Brayton et al. VIS: A system for verication and
synthesis. In Proceedings of Computer Aided Verication,
volume 1102 of LNCS, pages 428{432. Springer Verlag,
Rutgers University, NY, USA, July 1996.
3. E. Brinksma and A. Mader. Verication and optimiza-
tion of a PLC control schedule. In Proceedings of the
7th SPIN Workshop, pages 73{92, Stanford University,
California, USA, September 2000.
4. M. Charpentier and G. Padiou. Specication and ver-
ication of the ATMR protocol using UNITY. In Pro-
ceedings of International Workshop on Formal Methods
for Parallel Programming, pages 26{36, University of
Geneva, Switzerland, April 1997.
5. S. T. Cheng, R. K. Brayton, G. York, K. A. Yelick, and
A. Saldanha. Compiling verilog into timed nite state
machines. In Proceedings of International Verilog Con-
ference, 1995.
6. E. M. Clarke, O. Grumberg, and D. Long. Verica-
tion tools for nite-state concurrent systems. In REX
School/symposium on a Decade of Concurrency: Reec-
tions and Perspectives, pages 124{175, Noordwijkerhout,
The Netherlands, June 1993.
7. E. M. Clarke, O. Grumberg, and D. Peled. Model Check-
ing. MIT Press, 2000.
8. E. A. Emerson. Temporal and modal logic, Handbook of
theoretical computer science. Elsevier Sciences B.V. J.
van leeuwn north Holland edition, 1990.
9. G. J. Holzmann. Design and validation of computer pro-
tocols. Prentice Hall, 1991.
10. G. J. Holzmann. The engineering of a model checker:
the Gnu i-protocol case study revisited. In Proceed-
ings of Spin Workshop, pages 233{244, Toulouse, France,
September 1999.
11. G.J. Holzmann and D. Peled. An improvement in for-
mal verication. In Proceedings of International Confer-
ence on Formal Description Techniques for Distributed
Systems and Communications Protocols, pages 177{194,
Bern, Switzerland, September 1994.
12. ISO. Specication of the Asynchronous Transfer Mode
Ring (ATMR) Protocol, 2.0 edition, January 1993.
13. K. L. McMillan. Symbolic Model Checking. Kluwer Aca-
demic Publishers, 1993.
16 Hong Peng, Soene Tahar and Ferhat Khendek: Comparison of SPIN and VIS for Protocol Verication
A PROMELA model of the ATMR


































































































































B Verilog model of the ATMR








mac_state reg [0:1] state;
















if (req == 1)
































































if (in_cell[4:2] == id)

























if (in_cell[4:2] == id)
begin
out_celltype=Reset;
state=RESET;
end
end
endcase
endcase
case (out_celltype)
Data: out_cell[1:0]=0;
Empty: out_cell[1:0]=1;
Reset: out_cell[1:0]=2;
endcase
out_cell[4:2]=out_BA;
out_cell[7:5]=out_DA;
end//always
endmodule
