What kind of states and transitions does Spin's "depth reached" consider?

Question

For verifications (with ispin) that use never claims, I get outputs with depth reached larger than the number of states and the number of transitions, e.g.:

Full statespace search for:
    never claim             + (REQ5)
    assertion violations    + (if within scope of claim)
    cycle checks        - (disabled by -DSAFETY)
    invalid end states  - (disabled by never claim)

State-vector 60 byte, depth reached 87, errors: 1
       41 states, stored
       10 states, matched
       51 transitions (= stored+matched)
        9 atomic steps
hash conflicts:         0 (resolved)

I find that a bit unintuitive. Is there a precise description of the semantics of "depth reached" somewhere (more thorough than pan's output format description)? Maybe the meaning of

longest depth-first search path contained 87 transitions

does not refer to the 51 transitions, but to the transitions of the system automata composed with the never claim?

Serge · Answer 1 · 2018-09-11T15:21:29.540

2

Yes, you are (kind of) right when you say it refer to the transitions of the system automaton composed with the never claim. Yet in the same time it is the length of the path in the system being verified, because one step of system composed with never claim is exactly one step of the system. Of course depending on never claim one might need to explore more or less transition than system has. Paths are not even necessary loop free (depending on the claim) and even not minimal (unless special option is set).

edited Sep 11 '18 at 15:21

answered Jul 04 '17 at 16:24

Serge

3,387
3
16
34

Also, perhaps it counts going back up during DFS as transitions as well – Brishna Batool Sep 11 '18 at 09:16

What kind of states and transitions does Spin's "depth reached" consider?

1 Answers1