A Simple Tutorial on NuSMV

Transcription

1 NuSMV-tutorial 1 A Simple Tutorial on NuSMV Chenyi Zhang March 28, 2007 For a comprehensive tutorial, please visit the site

2 NuSMV-tutorial 2 Introduction History SMV is the first BDD-based symbolic model checker NuSMV is a re-implementation and extension of SMV by ITC-IRST, UniTN, CMU and UniGE, now it s on version Extensions: LTL, Simulation, SAT etc. OpenSource Licensing In CSE czhang/nusmv, you may create a link to this file by resetting your $PATH and then export

3 NuSMV-tutorial 3 An Overview of the Modeling Language Recall that Model Checking is: M = ϕ In NuSMV: The system M is a Kripke Structure defined by state variables of the types: boolean, enumerate, bounded integer and array And transitions in assignment style or constraint style (more in later slides) The specification ϕ in CTL formula, LTL formula or as an invariant May also assume fairness

4 NuSMV-tutorial 4 A Hello World Example MODULE main ASSIGN VAR init(b0) := 0; b0 : boolean; next(b0) :=!b0;!b 0 b 0 0 1

5 NuSMV-tutorial 5 Declaring State Variables State variables determine the size of the Kripke structure Available types: bool, enumerative, bounded integers VAR x: boolean; state: {ready, busy, waiting}; num: 1..8;

6 NuSMV-tutorial 6 Another Example MODULE main VAR ASSIGN b0 : boolean; init(b0) := 0; b1 : boolean; next(b0) :=!b0;!b 0 /!b 1 b 0 /!b 1!b 0 /b 1 b 0 /b 1

7 NuSMV-tutorial 7 Expressions Arithmetic operators: +,,, /, mod, (unary) Comparison operators: =,! =, >, <, <=, >= Logic operators: &,, xor,!, >, < > Set operators: {v 1, v 2,...v n }, in, union Conditional Expression: variable := case c 1 : e 1 ; c 2 : e 2 ;. 1: e n ; esac

8 NuSMV-tutorial 8 Syntax for ASSIGN statements The expression must evaluate to values in the domain of variable next expression depends on current and next if no next() assignment is specified for a variable, then the variable evolves nondeterministically (i.e., it s unconstrained) init(<variable>) := <simple_expression>; next(<variable>) := <next_expression>;

9 NuSMV-tutorial 9 The DEFINE Declaration MODULE main VAR b0 : boolean; b1 : boolean; b2 : boolean; ASSIGN init(b0) := 0;... DEFINE out := b0 + 2*b1 + 4*b2; done := b0 & b1 & b2; There is no VAR definitions like out : 0..7; done : boolean; No new state variable is created (hence, no added complexity)

10 NuSMV-tutorial 10 Arrays The SMV language provides also the possibility to define arrays. VAR x : array of boolean; y : array 2..4 of 0..10; ASSIGN init(x[5]) := 1; init(y[2]) := {0,2,4,6,8,10}; Array indexes in SMV must be constants.

11 NuSMV-tutorial 11 Restrictions on the ASSIGN statements Double assignments rule each variable may be assigned only once - but can assign more than one value at once (nondeterminism) - eg. next(num) := {1, 2}; Circular dependencies rule a variable can not have cycles in its dependency graph that are not broken by delays

12 NuSMV-tutorial 12 Examples: which are illegal? init(status) := ready; init(status) := busy; init(status) := {ready, busy}; x := (y + 1) mod 2; y := (x + 1) mod 2; next(x) := x & next(y); next(y) := y & next(x); next(x) := x & next(y);

13 NuSMV-tutorial 13 Examples Cont. init(status) := ready; (double assignments) init(status) := busy; init(status) := {ready, busy}; (ok) x := (y + 1) mod 2; (circular dependencies) y := (x + 1) mod 2; next(x) := x & next(y); (circular dependencies) next(y) := y & next(x); next(x) := x & next(y); (ok, no circles)

14 NuSMV-tutorial 14 Modules An SMV program can consist of one or more module declarations. MODULE mod MODULE main VAR VAR m1 : mod; out: 0..9; m2 : mod; ASSIGN sum: 0..18; next(out) := (out+1) mod 10 ASSIGN sum := m1.out + m2.out; main m1 m2

15 NuSMV-tutorial 15 More Modules Modules are instantiated in other modules. The instantiation is performed inside the VAR declaration of the parent module. In each SMV specification there must be a module main. It is the top-most module. All the variables declared in a module instance are visible in the module in which it has been instantiated via the dot notation (eg., m1.out, m2.out). MODULE mod(in) MODULE main VAR VAR m1 : mod(m2.out); out: 0..9; m2 : mod(m1.out);......

16 NuSMV-tutorial 16 Specifications Specifications can be added in any module of the program Each property is verifed separately Different kinds of properties are allowed: On reachable states: INVARSPEC On the computation paths (LTL): LTLSPEC Qualitative characteristic of models: COMPUTE Branching time (CTL): SPEC Bounded CTL: SPEC

17 NuSMV-tutorial 17 Syntax for Specifications INVARSPEC simple expression Example: INVARSPEC (m1.crit ->!m2.crit)&(m2.crit ->!m1.crit) LTLSPEC ltl expression Example: LTLSPEC F out = 3 Temporal operators: X F G U SPEC ctl expression Temporal operators: AX AF AG A[ U ] and also: EX EF EG E[ U ] Bounded CTL: SPEC ABF 0..2 out = 3 which says out = 3 is reachable in 2 steps

18 NuSMV-tutorial 18 Fairness Constraints NuSMV allows to specify fairness cosntraints Fairness constraints are formulas which are assumed to be true infinitely often in all the execution paths of interest During the verification of properties, NuSMV considers path quantifiers to apply only to fair paths Syntax: FAIRNESS simple expression Example: FAIRNESS out = 3

19 NuSMV-tutorial 19 The Constraint Style MODULE main VAR request : boolean; state : {ready,busy}; ASSIGN init(state) := ready; next(state) := case state = ready & request : busy; 1 : {ready,busy}; This program can be alternatively defined in a constraint style. MODULE main VAR request : boolean; state : {ready,busy}; INIT state = ready TRANS (state = ready & request) -> next(state) = busy

20 NuSMV-tutorial 20 Assignments vs Constraints Any ASSIGN-based specification can be easily rewritten as an equivalent constraint-based specification, but the converse might be hard In assignment style, there is always at least one initial state, and all states have at least one next state by construction In constraint style, INIT constraints can be inconsistent (eg. INIT p&!p), then any specification is vacuously true TRANS constraints can be inconsistent in the sense that the transition relation is not total (there are deadlock states), and NuSMV detects and reports this case. In assignment style, nondeterminism is apparent (unassigned variables, set assignments...), but in constraint style nondeterminism is hidden in the constraints.

21 NuSMV-tutorial 21 Demo: A simple print server ready/!req busy/!req ready/req busy/req

22 NuSMV-tutorial 22 Synchronous Composition MODULE cell(input) MODULE main VAR VAR val: {red, green}; c1: cell(c2.val); ASSIGN c2: cell(c1.val); next(val):={val, input}; By default, composition of modules is synchronous. step c1.val c2.val 0 red green Here is a possible execution: 1 green red 2 green green 3 green green

23 NuSMV-tutorial 23 Asynchronous Composition Asynchronous composition can be obtained by using keyword process. In asynchronous composition one process moves at each step. Boolean variable running is defined in each process: it is true when that process is selected it can be used to guarantee a fair scheduling of processes. MODULE cell(input) VAR val: {red, green, blue}; ASSIGN next(val):={val, input}; FAIRNESS running MODULE main VAR c1: process cell(c2.val); c2: process cell(c3.val); c3: process cell(c1.val);

24 NuSMV-tutorial 24 A Possible Asynchronous Run step c1.val c2.val c3.val 0 red green blue 1 red green blue 2 green green blue 3 green blue blue 4 green blue green

25 NuSMV-tutorial 25 Questions

26 NuSMV-tutorial 26 Other Issues 1. Consultation: when (?) and where (CSE level 2) 2. Ask questions on the course forum