NuSMV Hands-on introduction

Similar documents
A Simple Tutorial on NuSMV

CSC410 Tutorial. An Introduction to NuSMV. Yi Li Nov 6, 2017

Introduction to NuSMV

Introduction to SMV. Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others Carnegie Mellon University

Automated Reasoning Lecture 3: The NuSMV Model Checker

NuSMV 2.2 Tutorial. Roberto Cavada, Alessandro Cimatti, Gavin Keighren, Emanuele Olivetti, Marco Pistore and Marco Roveri

Using Cadence SMV. to verify temporal properties of finite-state machines : Intro to Model Checking April 6, 2011.

CTL Model Checking with NuSMV

NuSMV 2.2 User Manual

The SMV system DRAFT. K. L. McMillan. Carnegie-Mellon University. February 2, 1992

the possible applications of symbolic model checking to hardware verification. This document describes the syntax and semantics of the SMV input langu

NuSMV 2.3 User Manual

Introduction to SMV Part 2

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Finite State Verification. CSCE Lecture 14-02/25/2016

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

CSC2108: Automated Verification Assignment 1 - Solutions

Finite State Verification. CSCE Lecture 21-03/28/2017

NuSMV 2.5 User Manual

Formal Verification: Practical Exercise Model Checking with NuSMV

Lecture 2: Symbolic Model Checking With SAT

Lecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

WHEN concurrent processes share a resource such as a file

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

arxiv:cs/ v1 [cs.se] 16 Jul 2004

Temporal Logic and Timed Automata

Cyber Physical System Verification with SAL

The Spin Model Checker : Part I/II

A Case Study for CTL Model Update

Overview of SRI s. Lee Pike. June 3, 2005 Overview of SRI s. Symbolic Analysis Laboratory (SAL) Lee Pike

AsmetaSMV: a model checker for AsmetaL models Tutorial

Formal Verification of Business Continuity Solutions

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Formal Analysis and Verification of a Communication Protocol

PSL/Sugar Version 1.28

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

User Manual of Extended NuSMV

IWAISE November 12, 2012

Action Language Verifier, Extended

Illlll~~ iII! 075l

Simplification of NuSMV Model Checking Counter Examples. Jussi Lahtinen February 14, 2008

Modeling and Analysis of Networked Embedded Systems using UPPAAL. Ezio Bartocci

Verification of Intelligent Software

Overview. Discrete Event Systems - Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Model-Checking Concurrent Systems

6.0 ECTS/4.5h VU Programm- und Systemverifikation ( ) June 22, 2016

Automated Compliance Verification of Business Processes in Apromore

Model Checking for Autonomy Software

SMV Project. Arun Autuchirayll, Manjulata Chivukula, Bhargava Konidena. April 28, 2009

Formal Verification by Model Checking

Sérgio Campos, Edmund Clarke

Predicate Abstraction Daniel Kroening 1

Verification Options. To Store Or Not To Store? Inside the UPPAAL tool. Inactive (passive) Clock Reduction. Global Reduction

Model Checking with Automata An Overview

NuSMV 2: An OpenSource Tool for Symbolic Model Checking

More on Verification and Model Checking

Traffic Light Controller Examples in SMV. Himanshu Jain Bug catching (Fall 2007)

Software Model Checking: Theory and Practice

Test-Case Generation and Coverage Analysis for Nondeterministic Systems Using Model-Checkers

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

A Modular Model Checking Algorithm for Cyclic Feature Compositions

Structure of Abstract Syntax trees for Colored Nets in PNML

Available online at ScienceDirect. Procedia Computer Science 57 (2015 )

NuSMV 2: An OpenSource Tool for Symbolic Model Checking

Analysis of Boolean Programs TACAS 2013

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Automated Refinement Checking of Asynchronous Processes. Rajeev Alur. University of Pennsylvania

T Reactive Systems: Kripke Structures and Automata

A New Model Checking Tool

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Property Verification for Generic Access Control Models 1

Model Checking. Dragana Cvijanovic

The UPPAAL Model Checker. Julián Proenza Systems, Robotics and Vision Group. UIB. SPAIN

Tool demonstration: Spin

Formal Verification. Lecture 7: Introduction to Binary Decision Diagrams (BDDs)

Model checking and timed CTL

Model Checkers for Test Case Generation: An Experimental Study

Building Graphical Promela Models using UPPAAL GUI

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Analysis of a Measured Launch

An Introduction to UPPAAL. Purandar Bhaduri Dept. of CSE IIT Guwahati

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II

Scenario Graphs Applied to Security (Summary Paper)

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

Timo Latvala. January 28, 2004

Symbolic Verification of Timed Asynchronous Hardware Protocols

XML Output. Handling TRANS INVAR and INIT

BDDC v2 A basic bdd-based logical calculator

Design and Analysis of Distributed Interacting Systems

Model Checking CSMA/CD Protocol Using an Actor-Based Language

Haskell Overview III (3A) Young Won Lim 10/4/16

Model Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).

Formell verifikation av extern hårdvara med säkerhetskrav

Duet: Static Analysis for Unbounded Parallelism

COTRE as an AADL profile

The SPIN Model Checker

Model checking Timber program. Paweł Pietrzak

Auto-Generating Test Sequences for Web Applications *

Transcription:

NuSMV Hands-on introduction F. Mallet fmallet@unice.fr Université Nice Sophia Antipolis

NuSMV 1 was an extension of SMV NuSMV 2 SMV : first BDD-based symbolic model-checker [McMillan, 90] NuSMV 2 Combines BDD-based and SAT-based modelchecking OpenSource licensing (GNU LGPL) F. Mallet 2

Kripke Structure Non-deterministic automaton used in modelchecking (graph) [Nodes] Finite reachable states of the system (S) Set of initial states I S [Edges] state transition R S x S Labeling function L Maps each node to a set of properties that hold in the state!b b F. Mallet 3

(Parameterized) Modules Declarations of state variables First NuSMV program The state variables determine the state space The domain must be bounded (and small) Assignments Valid initial states : init Transition relation : next Example MODULE main b : boolean; ASSIGN init(b) := FALSE; next(b) :=!b;!b b F. Mallet 4

Data types (1/2) Boolean b : boolean; Integer i : integer; j : 1..8; FALSE, TRUE Signed 32-bit Enumeration types thread : { stopped, running, waiting, finished }; t1 : {2, 4, -2, 0}; t2 : { FAIL, 1, 3, 7, OK }; Symbolic constants Integer enum Integer-and-symbolic F. Mallet 5

Data types (2/2) Unsigned words (vectors of bits/boolean) b : unsigned word [3]; Signed words (vectors of bits/boolean) i : signed word [7]; Unsigned 3-bit Signed 7-bit Array a : array 0..3 of boolean; a1 : array 10..20 of {OK, y, z}; a2 : array 1..8 of array -1..2 of unsigned word[5]; F. Mallet 6

Synchronous composition All the transitions evolve synchronously!b b!b c b c c : boolean ; c!c!b!c b!c Composed state-space= Cartesian product F. Mallet 7

If an initial value is not specified Initial states: init The variable can initially assume any value in its domain var c : boolean; c!c Otherwise, an expression can compute (a set of) values in the definition domain init(b) := FALSE ; init(b) := { FALSE } ; init(c) := { TRUE, FALSE } ; (non-deterministic) init(var) := {a,b,c} union {x,y,z} ; F. Mallet 8

Initial states: init Non-deterministic initialization MODULE main b : boolean; c : boolean; ASSIGN init(b) := FALSE; next(b) :=!b;!b c b c!b!c b!c Composed state-space= Cartesian product F. Mallet 9

Initial states: init Deterministic initialization MODULE main b : boolean; c : boolean; ASSIGN init(b) := FALSE; next(b) :=!b;!b c b c init(c) := FALSE;!b!c b!c Composed state-space= Cartesian product F. Mallet 10

Transition relation: next Constrain the values that a variable can assume in the next state next(<variable>) := <expression>; <expression> depends on the definition domain of <variable> The expression can depends on current and next values of variables. next(output) :=! input; next(output) := (!input) union output; next(b) := b + (next(a) a); F. Mallet 11

If no next assignment Introduction to NuSMV Transition relation: next The variable evolves non-deterministically c!c F. Mallet 12

Transition relation: next Non-deterministic transition MODULE main b : boolean; c : boolean; ASSIGN init(b) := FALSE; next(b) :=!b;!b c b c init(c) := FALSE;!b!c b!c Composed state-space= Cartesian product F. Mallet 13

Transition relation: next Deterministic transition MODULE main b : boolean; c : boolean; ASSIGN init(b) := FALSE; next(b) :=!b;!b c b c init(c) := FALSE; next(c) := (!b & c) (b &!c) ;!b!c b!c Composed state-space= Cartesian product F. Mallet 14

Normal assignments When neither init nor next is used Specify the current value of a variable depending on the current values of (other) variables <variable> := <expression> ; F. Mallet 15

Normal assignments Counter MODULE main b : boolean; c : boolean; out : 0..3; ASSIGN init(b) := FALSE; next(b) :=!b; init(c) := FALSE; next(c) := (!b & c) (b &!c) ; 2 3 0 1 out := b + 2*c; F. Mallet 16

Definitions Counter MODULE main ASSIGN b : boolean; c : boolean; init(b) := FALSE; next(b) :=!b; 2 3 init(c) := FALSE; next(c) := (!b & c) (b &!c) ; DEFINE out := b + 2*c; 0 1 Definitions are NOT statically typed! F. Mallet 17

Double-assignment rule Restrictions Each variable may be assigned only once in the program Example of illegal assignments init(status) := ready; status := busy; Circular-dependency rule A variable cannot have cycles in its dependency graph not broken by delays x := (x+1) ; next(x) := x & next(y); next(y) := y & next(x); F. Mallet 18

Case expressions Introduction to NuSMV Simple example Keep the first condition that is evaluated to TRUE At least one condition must be TRUE MODULE main req : boolean; state : {ready, busy}; ASSIGN init(state) := ready; next(state) := case state = ready & req : busy; TRUE : {ready, busy}; esac; ready! req ready req busy! req busy req F. Mallet 19

Module with parameters 1-bit counter MODULE count(carry_in) value : boolean; ASSIGN init(value) := FALSE; next(value) := value xor carry_in; DEFINE carry_out := value & carry_in F. Mallet 20

Module with parameters 3-bit counter MODULE main bit0 : count(true); bit1 : count(bit0.carry_out); bit2 : count(bit1.carry_out); MODULE count(carry_in) value : boolean; ASSIGN init(value) := FALSE; next(value) := value xor carry_in; DEFINE carry_out := value & carry_in F. Mallet 21

Specifications Specifications are associated with modules Each property is verified separately Several kinds of specifications Invariants: INSPEC Something that must always be true A proposition on reachable states Linear-Time Logics (LTL) : LTLSPEC Branching-Time Logics (CTL) : SPEC F. Mallet 22

CTL formulas: SPEC (1/2) ctl_expr :: simple_expr ( ctl_expr )! ctl_expr ctl_expr & ctl_expr ctl_expr ctl_expr ctl_expr xor ctl_expr ctl_expr xnor ctl_expr ctl_expr -> ctl_expr ctl_expr <-> ctl_expr A CTL expression can be a simple expression (no next) Logical not Logical and Logical or Logical exclusive or Logical NOT exclusive or Logical implies Logical equivalence F. Mallet 23

CTL formulas: SPEC (2/2) EG ctl_expr EX ctl_expr EF ctl_expr AG ctl_expr AX ctl_expr AF ctl_expr E [ ctl_expr U ctl_expr ] A [ ctl_expr U ctl_expr ] Exists globally Exists next state Exists finally Forall globally Forall next state Forall finally Exists until Forall until F. Mallet 24

Equivalent to Introduction to NuSMV SPEC AG simple_expr; But Checked separately Can contain next operators Invariants: INSPEC F. Mallet 25

LTL formulas: LTLSPEC (1/3) ltl_expr :: simple_expr ( ltl_expr )! ltl_expr ltl_expr & ltl_expr ltl_expr ltl_expr ltl_expr xor ltl_expr ltl_expr xnor ltl_expr ltl_expr -> ltl_expr ltl_expr <-> ltl_expr A LTL expression can be a simple expression (no next) Logical not Logical and Logical or Logical exclusive or Logical NOT exclusive or Logical implies Logical equivalence F. Mallet 26

LTL formulas: LTLSPEC (2/3) G ltl_expr X ltl_expr F ltl_expr p U q p V q Future expressions globally next state finally Until q must hold at some point (eventually) p must hold all the time until then p and q need not hold at the same time Releases p must hold at all time t >=t up to and including the time step t where q also holds q may never hold F. Mallet 27

LTL formulas: LTLSPEC (3/3) H ltl_expr Y ltl_expr O ltl_expr p S q p T q Past expressions historically previous state once Since q must have held at some point (t <=t) p must hold all the time at t (t <t <=t) p need not hold at t Triggered p held at t <=t q holds at all t, (t <=t <=t) Or p never held q must hold at all t (t0<=t <=t) F. Mallet 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback