Introduction to SMV. Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others Carnegie Mellon University

Similar documents
Introduction to SMV Part 2

The SMV system DRAFT. K. L. McMillan. Carnegie-Mellon University. February 2, 1992

the possible applications of symbolic model checking to hardware verification. This document describes the syntax and semantics of the SMV input langu

Introduction to NuSMV

NuSMV Hands-on introduction

A Simple Tutorial on NuSMV

NuSMV 2.2 Tutorial. Roberto Cavada, Alessandro Cimatti, Gavin Keighren, Emanuele Olivetti, Marco Pistore and Marco Roveri

Using Cadence SMV. to verify temporal properties of finite-state machines : Intro to Model Checking April 6, 2011.

CTL Model Checking with NuSMV

Automated Reasoning Lecture 3: The NuSMV Model Checker

CSC410 Tutorial. An Introduction to NuSMV. Yi Li Nov 6, 2017

arxiv:cs/ v1 [cs.se] 16 Jul 2004

NuSMV 2.2 User Manual

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

Lecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213

NuSMV 2.3 User Manual

Illlll~~ iII! 075l

Binary Decision Diagrams and Symbolic Model Checking

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Lecture 2: Symbolic Model Checking With SAT

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Automated Refinement Checking of Asynchronous Processes. Rajeev Alur. University of Pennsylvania

Verifying IP-Core based System-On-Chip Designs

Formal Analysis and Verification of a Communication Protocol

WHEN concurrent processes share a resource such as a file

Formal Verification by Model Checking

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Model-Checking Concurrent Systems

The Spin Model Checker : Part I/II

Predicate Abstraction Daniel Kroening 1

CSC2108: Automated Verification Assignment 1 - Solutions

Formal Specification and Verification

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Applications of Formal Verification

Model Checkers for Test Case Generation: An Experimental Study

Software Engineering using Formal Methods

Applications of Formal Verification

User Manual of Extended NuSMV

More on Verification and Model Checking

Sérgio Campos, Edmund Clarke

Finite State Verification. CSCE Lecture 14-02/25/2016

Software Engineering using Formal Methods

Design Constraints in Symbolic Model Checking

Formal Verification of a Commercial Serial Bus Interface Bernard Plessier & Carl Pixley Motorola SSDT-Austin (51 2) , cad-pixleyq .mot.

Overview. Discrete Event Systems - Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Finite State Verification. CSCE Lecture 21-03/28/2017

Design and Analysis of Distributed Interacting Systems

Action Language Verifier, Extended

Model checking Timber program. Paweł Pietrzak

Having a BLAST with SLAM

Applications of Formal Verification

Model Checking. Dragana Cvijanovic

Symbolic Methods. The finite-state case. Martin Fränzle. Carl von Ossietzky Universität FK II, Dpt. Informatik Abt.

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Temporal Logic and Timed Automata

Model Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).

An Automatic Design Flow from Formal Models to FPGA

Alloy: A Lightweight Object Modelling Notation

A Case Study for CTL Model Update

Formal Verification of Business Continuity Solutions

Software Model Checking. From Programs to Kripke Structures

Reducing Fair Stuttering Refinement of Transaction Systems

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Simplification of NuSMV Model Checking Counter Examples. Jussi Lahtinen February 14, 2008

The Verus Language: Representing Time efficiently with BDDs 1

COMP 763. Eugene Syriani. Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science. McGill University

Automated Program Analysis with Software Model Checking

Combining Decision Diagrams and SAT Procedures for Efficient Symbolic Model Checking

Software Model Checking. Xiangyu Zhang

Lecture 3 SPIN and Promela

Introduction to Model Checking

CS 510/13. Predicate Abstraction

Programming Languages Third Edition

Model Checking VHDL with CV

Nondeterministic Testing with Linear Model-Checker Counterexamples (Research Paper)

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

NuSMV 2: An OpenSource Tool for Symbolic Model Checking

Proving the Correctness of Distributed Algorithms using TLA

A Meta Hardware Description Language Melasy for Model-Checking Systems

Formal Verification. Lecture 7: Introduction to Binary Decision Diagrams (BDDs)

Model Checking Cache Coherence Protocols for Distributed File Systems

Predicate Abstraction and Refinement Techniques for Verifying Verilog

Model Checking for Autonomy Software

Model Checking with Automata An Overview

Building Graphical Promela Models using UPPAAL GUI

A Theory of Consistency for Modular Synchronous Systems

ELECTRONIC devices operate in a variety of environments,

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Symbolic Trajectory Evaluation - A Survey

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

Formal Verification: Practical Exercise Model Checking with NuSMV

Model Checking Software Programs with. First Order Logic Specifications using AIG Solvers

Formal Verification Techniques for Digital Systems

Acceleration of SAT-based Iterative Property Checking

Symbolic Synthesis of Knowledge-based Program Implementations with Synchronous Semantics

Specifying circuit properties in PSL. (Some of this material is due to Cindy Eisner and Dana Fisman, with thanks) See also the Jasper PSL Quick Ref.

Behavior models and verification Lecture 6

Safety Assessment of AltaRica models via Symbolic Model Checking

Transcription:

Introduction to SMV Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others 2 Carnegie Mellon University

Symbolic Model Verifier (SMV) Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem, 993. Finite-state Systems described in a specialized language Specifications given as CTL formulas Internal representation using ROBDDs Automatically verifies specification or produces a counterexample 2/8/25 2 Carnegie 2 Mellon University 2

Overview of SMV SMV Input Language Backend Finite State Kripke Structure OBDD based Symbolic Model Checking Yes Specification CTL Formula No CounterExample 2/8/25 2 Carnegie 3 Mellon University 3

SMV Variants Cadence SMV NuSMV CMU SMV l Oldest Version l No GUI l Strong abstraction functions l GUI l New language Two versions l 2.x: Open Source, many new features, BDD and SAT based backends l.x: Original version, had a GUI 2 Carnegie Mellon University 4

NuSMV2 Architecture 2 Carnegie Mellon University 5

SMV Language Allows description of completely synchronous to asynchronous systems, detailed to abstract systems Modularized and hierarchical descriptions Finite data types: Boolean and enumerated Parallel-assignment syntax Non-determinism 2 Carnegie Mellon University 6

A Sample SMV Program (short.smv) MODULE main VAR request: boolean; state: {ready, busy}; ASSIGN init(state) := ready; next(state) := case state=ready & request: busy; TRUE : {ready, busy}; esac; SPEC AG(request - > AF (state = busy)) 2/8/25 2 Carnegie 7 Mellon University 7

Kripke structure Computation tree ready!request busy!request busy!request ready request busy request holds after one step ready request busy request busy request holds in the initial state AG(request - > AF (state = busy)) 8 2 Carnegie Mellon University 8

A Sample SMV Program (short.smv) MODULE main VAR request: boolean; state: {ready, busy}; ASSIGN init(state) := ready; next(state) := case esac; what if AF is changed to AX? state=ready & request: busy; TRUE : {ready, busy}; SPEC AG(request - > AX (state = busy)) 2/8/25 9 2 Carnegie Mellon University 9

AG(request - > AX (state = busy)) is false ready!request busy!request ready request busy request 2 Carnegie Mellon University

SMV Syntax: Expressions Expr :: atom - - symbolic constant number - - numeric constant id - - variable identifier! Expr - - logical not Expr & Expr - - logical and Expr Expr - - logical or Expr - > Expr - - logical implication Expr <- > Expr - - logical equivalence next ( id ) - - next value Case_expr Set_expr 2 Carnegie Mellon University

The Case Expression Case_expr :: case expr_a : expr_b 2 ; expr_a n : expr_b n ; esac Guards are evaluated sequentially The first one that is true determines the resulting value Cases must be exhaustive It is an error if all expressions on the left hand side evaluate to FALSE 2 Carnegie Mellon University 2

Variables and Assignments Decl :: VAR atom : type ; atom2 : type2 ; Decl :: ASSIGN dest := Expr ; dest2 := Expr2 ; Dest :: atom - - current init ( atom ) - - initial next ( atom ) - - next- state 2 Carnegie Mellon University 3

Variables and Assignments (cont d) State is an assignment of values to a set of state variables Type of a variable boolean, scalar, user defined module, or array. Assignment to initial state: init(value) := FALSE; Assignment to next state (transition relation) next(value) := value xor carry_in; Assignment to current state (invariant) carry_out := value & carry_in; Either init-next or invar should be used, but not both SMV is a parallel assignment language 2 Carnegie Mellon University 4

Circular Definitions are not allowed a := next(b); next(b) := c; c := a; init(a) := ; next(a) :=!b; init(b) := ; next(b) :=!a; 2 Carnegie Mellon University 5

Nondeterminism Completely unassigned variable model unconstrained input {val_,, val_n} is an expression taking on any of the given values nondeterministically next(b) := {TRUE, FALSE}; Nondeterministic choice can be used to: Model an environment that is outside of the control of the system Model an implementation that has not been refined yet Abstract behavior 2 Carnegie Mellon University 6

ASSIGN and DEFINE VAR a: boolean; ASSIGN a := b c; declares a new state variable a becomes part of invariant relation DEFINE d := b c; a macro definition, each occurrence of d is replaced by (b c) no extra BDD variable is generated for d the BDD for (b c) becomes part of each expression using d 2 Carnegie Mellon University 7

SPEC Declaration Decl :: SPEC ctlform Ctlform :: expr - - bool expression! ctlform Ctlform <op> Ctlform E Pathform A Pathform Pathform :: X Ctlform F Ctlform G Ctlform Ctlform U Ctlform 2 Carnegie Mellon University 8

Modules Modules can be instantiated many times, each instantiation creates a copy of the local variables Each program must have a module main Scoping Variables declared outside a module can be passed as parameters Parameters are passed by reference. 2 Carnegie Mellon University 9

Pass by reference DEFINE a := ; VAR b : bar(a); MODULE bar(x) DEFINE a := ; y := x; DEFINE a := ; b.y := ; b.a := ; 2 2 Carnegie Mellon University 2

Pass by reference VAR a : boolean; b : foo(a); MODULE foo(x) VAR y : boolean; ASSIGN x := TRUE; y := FALSE; VAR a : boolean; b.y : boolean; ASSIGN a := TRUE; b.y := FALSE; 2 2 Carnegie Mellon University 2

A Three-Bit Counter MODULE main VAR bit : counter_cell(true); bit : counter_cell(bit.carry_out); bit2 : counter_cell(bit.carry_out); SPEC AG AF bit2.carry_out MODULE counter_cell(carry_in) VAR value : boolean; ASSIGN init(value) := FALSE; next(value) := value xor carry_in; DEFINE carry_out := value & carry_in; value + carry_in mod 2 2 Carnegie Mellon University 22

module instantiations in val out bit module declaration in val out in val out bit in val out bit2 2 Carnegie Mellon University 23

24 2 Carnegie Mellon University in val out bit in val out bit in val out bit2 bit2.carry_out is ture AG AF bit2.carry_out is true

A Three-Bit Counter MODULE main VAR bit : counter_cell(true); bit : counter_cell(bit.carry_out); bit2 : counter_cell(bit.carry_out); SPEC AG (!bit2.carry_out) MODULE counter_cell(carry_in) VAR value : boolean; ASSIGN init(value) := FALSE; next(value) := value xor carry_in; DEFINE carry_out := value & carry_in; 2 Carnegie Mellon University 25

26 2 Carnegie Mellon University in val out bit in val out bit in val out bit2 bit2.carry_out is ture AG (!bit2.carry_out) is false

Module Composition Synchronous composition All assignments are executed in parallel and synchronously. A single step of the resulting model corresponds to a step in each of the components. Asynchronous composition A step of the composition is a step by exactly one process. Variables, not assigned in that process, are left unchanged. 2 Carnegie Mellon University 27

Inverter Ring MODULE main VAR gate : process inverter(gate3.output); gate2 : process inverter(gate.output); gate3 : process inverter(gate2.output); SPEC (AG AF gate.output) & (AG AF!gate.output) MODULE inverter(input) VAR output : boolean; ASSIGN init(output) := FALSE; next(output) :=!input; FAIRNESS running 2 Carnegie Mellon University 28

29 2 Carnegie Mellon University in out gate in out in out gate gate2 In asynchronous composition, a step of the computation is a step by exactly one component. The process to execute is assumed to choose gate, gate, and gate2 repeatedly. (AG AF gate.output) & (AG AF!gate.output) is true

Fairness FAIRNESS Ctlform Assumed to be true infinitely often Model checker only explores paths satisfying fairness constraint Each fairness constraint must be true infinitely often If there are no fair paths All existential formulas are false All universal formulas are true FAIRNESS running 2 Carnegie Mellon University 3

Synchronous vs Asynchronous In Asynchronous process, need not combine transition relation of each process Complexity of representing set of states reachable in n steps higher in asynchronous processes occasionally due to higher number of interleavingn SMV models asynchronous composition by a synchronous one 2 Carnegie Mellon University 3

Implicit Modeling INIT Expr Boolean valued expression giving initial states INVAR Expr Boolean valued expression restricting set of all states of model TRANS Expr Boolean valued expression restricting transition relation of system 2 Carnegie Mellon University 32

Implicit Modeling Example MODULE main VAR gate : inverter(gate3.output); gate2 : inverter(gate.output); gate3 : inverter(gate2.output); SPEC (AG AF gate.out) & (AG AF!gate.out) MODULE inverter(input) VAR output : boolean; INIT output = FALSE; TRANS next(output) =!input next(output) = output 2 Carnegie Mellon University 33

TRANS Advantages Group assignments to different variables Good for modeling guarded commands IF guard THEN new state Disadvantages Logical absurdities can lead to unimplementable descriptions 2 Carnegie Mellon University 34

Shared Data Example Two users assign PID to Data in turn MODULE main VAR data : boolean; turn : {,}; user : user(, data, turn); user : user(, data, turn); ASSIGN next(turn) :=!turn; SPEC AG (AF data & AF (!data)) MODULE user(pid, data, turn) ASSIGN next(data) := case turn=pid : pid; TRUE : data; esac; Error: multiple assignment: next(data) 2 Carnegie Mellon University 35

Shared Data Example with TRANS MODULE main VAR data : boolean; turn : {,}; user : user(, data, turn); user : user(, data, turn); ASSIGN next(turn) :=!turn; SPEC AG (AF data & AF (!data)) MODULE user(pid, data, turn) TRANS turn=pid - > next(data) = pid; 2 Carnegie Mellon University 36

TRANS Pitfalls TRANS TRUE - > next(b) = & TRUE - > next(b) = & Inconsistencies in TRANS result in an empty transition relation All universal properties are satisfied All existential properties are refuted 2 Carnegie Mellon University 37

TRANS Guidelines Use ASSIGN if you can! Validate your model with simulation and sanity checks Check that transition relation is total (-ctt option) Write in a disjunction of conjunction format Cover all cases Make guards disjoint 2 Carnegie Mellon University 38

MODULE main VAR send : {s,s,s2}; recv : {r,r,r2}; ack : boolean; req : boolean; ASSIGN init(ack):=false; init(req):=false; init(send):= s; init(recv):= r; next (send) := case send=s:{s,s}; send=s:s2; send=s2&ack:s; TRUE:send; esac; next (recv) := case recv=r&req:r; recv=r:r2; recv=r2:r; TRUE: recv; esac; next (ack) := case recv=r2:true; TRUE: ack; esac; next (req) := case send=s:false; TRUE: req; esac; SPEC AG (req - > AF ack) 2 Carnegie Mellon University 39

Can A TRUE Result of Model Checker be Trusted Antecedent Failure [Beatty & Bryant 994] A temporal formula AG (p q) suffers an antecedent failure in model M iff M AG (p q) AND M AG ( p) Vacuity [Beer et al. 997] A temporal formula ϕ is satisfied vacuously by M iff there exists a sub-formula p of ϕ such that M ϕ[p q] for every other formula q e.g., M AG (r AF a) and M AG (r AF a) and AG (r AF r) and AG (r AF FALSE), 2 Carnegie Mellon University 4

Vacuity Detection: Single Occurrence ϕ is vacuous in M iff there exists an occurrence of a subformula p such that M ϕ[p TRUE] and M ϕ[p FALSE] M AG (req AF TRUE) M AG TRUE M AG (req AF FALSE) M AG req M AG (TRUE AF ack) M AG AF ack M AG (FALSE AF ack) M AG TRUE 2 Carnegie Mellon University 4

Detecting Vacuity in Multiple Occurrences Is AG (req AF req) vacuous? Should it be? M AG (TRUE AF TRUE) M AG TRUE M AG (FALSE AF FALSE) M AG TRUE Is AG (req AX req) vacuous? Should it be? M AG (TRUE AX TRUE) M AG TRUE M AG (FALSE AX FALSE) M AG TRUE 2 Carnegie Mellon University 42

Detecting Vacuity in Multiple Occurrences: ACTL An ACTL ϕ is vacuous in M iff there exists an a subformula p such that M ϕ[p x], where x is a non-deterministic variable Is AG (req AF req) vacuous? Should it be? M AG (x AF x) M AG TRUE Always vacuous!!! Is AG (req AX req) vacuous? Should it be? M AG (x AX x) can t reduce Can be vacuous!!! 2 Carnegie Mellon University 43

Run NuSMV NuSMV [options] inputfile - int - lp interactive mode list all properties - n X check property number X - ctt check totality of transition relation - old compatibility mode - ofm file output flattened model 2 Carnegie Mellon University 44

Using NuSMV in Interactive Mode Basic Usage go prepare model for verification check_ctlspec verify properties Simulation pick_state [- i] [- r] pick initial state for simulation [interactively] or [randomly] simulate [- i] [r] s simulate the model for s steps [interactively] or [randomly] show_traces show active traces 2 Carnegie Mellon University 45

Useful Links NuSMV home page http://nusmv.fbk.eu/ NuSMV tutorial http://nusmv.fbk.eu/nusmv/tutorial/v25/tutorial.pdf NuSMV user manual http://nusmv.fbk.eu/nusmv/userman/v25/nusmv.pdf NuSMV FAQ http://nusmv.fbk.eu/faq.html NuSMV on Andrew /afs/andrew.cmu.edu/usr6/soonhok/public/nusmv-zchaff-2.5.3-x86_64-redhatlinux-gnu/ NuSMV examples <NuSMV>/share/nusmv/examples Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem, 993 http://www.kenmcmil.com/pubs/thesis.pdf 2 Carnegie Mellon University 46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback