CSC410 Tutorial. An Introduction to NuSMV. Yi Li Nov 6, 2017

Similar documents
A Simple Tutorial on NuSMV

NuSMV Hands-on introduction

Automated Reasoning Lecture 3: The NuSMV Model Checker

Introduction to NuSMV

NuSMV 2.2 Tutorial. Roberto Cavada, Alessandro Cimatti, Gavin Keighren, Emanuele Olivetti, Marco Pistore and Marco Roveri

NuSMV 2.5 User Manual

Introduction to SMV. Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others Carnegie Mellon University

Software Engineering using Formal Methods

Software Engineering using Formal Methods

Finite State Verification. CSCE Lecture 14-02/25/2016

Some notes about Event-B and Rodin

Formal Specification and Verification

Temporal Logic and Timed Automata

Finite State Verification. CSCE Lecture 21-03/28/2017

NuSMV 2.2 User Manual

CTL Model Checking with NuSMV

Introduction to Visual Basic and Visual C++ Arithmetic Expression. Arithmetic Expression. Using Arithmetic Expression. Lesson 4.

Intermediate Code Generation

NuSMV 2.3 User Manual

(Not Quite) Minijava

Using Cadence SMV. to verify temporal properties of finite-state machines : Intro to Model Checking April 6, 2011.

Cyber Physical System Verification with SAL

Predicate Abstraction Daniel Kroening 1

There are four numeric types: 1. Integers, represented as a 32 bit (or longer) quantity. Digits sequences (possibly) signed are integer literals:

PSL/Sugar Version 1.28

DEPARTMENT OF MATHS, MJ COLLEGE

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

BASIC ELEMENTS OF A COMPUTER PROGRAM

Applications of Formal Verification

The PCAT Programming Language Reference Manual

Quick Reference Guide

Quick Reference Guide

Applications of Formal Verification

Applications of Formal Verification

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Specification of Zinc and MiniZinc. Nicholas Nethercote Kim Marriott Reza Rafeh Mark Wallace María García de la Banda Version 0.8

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Sections p.

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Le L c e t c ur u e e 2 To T p o i p c i s c t o o b e b e co c v o e v r e ed e Variables Operators

4. Logical Values. Our Goal. Boolean Values in Mathematics. The Type bool in C++

Basic Types, Variables, Literals, Constants

SECTION II: LANGUAGE BASICS

Basic C Programming (2) Bin Li Assistant Professor Dept. of Electrical, Computer and Biomedical Engineering University of Rhode Island

A Fast Review of C Essentials Part I

Programming for Engineers Iteration

CT 229. Java Syntax 26/09/2006 CT229

1 Lexical Considerations

IP Core Design. Lecture 11 Introduction to PSL

SEMANTIC ANALYSIS TYPES AND DECLARATIONS

More On Syntax Directed Translation

Chapter 2: Overview of C. Problem Solving & Program Design in C

CSc 10200! Introduction to Computing. Lecture 2-3 Edgardo Molina Fall 2013 City College of New York

Introduction to Programming Using Java (98-388)

OCRA: Othello Contracts Refinement Analysis Version 1.3

CSC 1214: Object-Oriented Programming

A flow chart is a graphical or symbolic representation of a process.

520 Principles of Programming Languages. Arithmetic. Variable Declarations. 19: Pascal

The SPL Programming Language Reference Manual

Fall Lecture 3 September 4. Stephen Brookes

Programming, numerics and optimization

3. Logical Values. Our Goal. Boolean Values in Mathematics. The Type bool in C++

Lecture 02 C FUNDAMENTALS

CLIP - A Crytographic Language with Irritating Parentheses

3. Logical Values. Boolean Functions; the Type bool; logical and relational operators; shortcut evaluation

Formal Verification: Practical Exercise Model Checking with NuSMV

CHPSIM. Version 2.0. A Simulator and Debugger for the CHP Language. User Manual. Written by Marcel van der Goot and Chris Moore

C Programming Language (Chapter 2 of K&R) Variables and Constants

COMPUTER APPLICATION

Lexical Considerations

RSL Reference Manual

Computer Aided Verification 2015 The SPIN model checker

Type checking of statements We change the start rule from P D ; E to P D ; S and add the following rules for statements: S id := E

Variables. Data Types.

DaMPL. Language Reference Manual. Henrique Grando

Recap. ANSI C Reserved Words C++ Multimedia Programming Lecture 2. Erwin M. Bakker Joachim Rijsdam

12 CREATING NEW TYPES

The Spin Model Checker : Part I/II

PHPoC. PHPoC vs PHP. Version 1.1. Sollae Systems Co., Ttd. PHPoC Forum: Homepage:

LCSL Reference Manual

3. Logical Values. Our Goal. Boolean Values in Mathematics. The Type bool in C++

3. Logical Values. Our Goal. Boolean Values in Mathematics. The Type bool in C++

The Arithmetic Operators

The Arithmetic Operators. Unary Operators. Relational Operators. Examples of use of ++ and

CHAPTER 8. Copyright Cengage Learning. All rights reserved.

C/C++ Programming for Engineers: Working with Integer Variables

COMP-520 GoLite Tutorial

Twister: Language Reference Manual

Character Set. The character set of C represents alphabet, digit or any symbol used to represent information. Digits 0, 1, 2, 3, 9

Language Reference Manual simplicity

Structure of Abstract Syntax trees for Colored Nets in PNML

Lecture Notes on Ints

Motivation was to facilitate development of systems software, especially OS development.

Note: unless otherwise stated, the questions are with reference to the C Programming Language. You may use extra sheets if need be.

COMP 382: Reasoning about algorithms

Non-numeric types, boolean types, arithmetic. operators. Comp Sci 1570 Introduction to C++ Non-numeric types. const. Reserved words.

Basic concepts. Chapter Toplevel loop

JScript Reference. Contents

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

LESSON 1. A C program is constructed as a sequence of characters. Among the characters that can be used in a program are:

Appendix. Grammar. A.1 Introduction. A.2 Keywords. There is no worse danger for a teacher than to teach words instead of things.

Transcription:

CSC410 Tutorial An Introduction to NuSMV Yi Li Nov 6, 2017

An Overview of NuSMV NuSMV is a symbolic model checker developed by FBK-IRST Uses a structured language to model finite-state systems Allows to model check LTL and CTL specifications Online Resources: NuSMV homepage: http://nusmv.fbk.eu/ Download binaries: http://nusmv.fbk.eu/bin/bin_download2-v2.cgi Documentation: http://nusmv.fbk.eu/nusmv/tutorial/v25/tutorial.pdf 2017-11-06 CSC410 Tutorial 2

The first SMV program MODULE main VAR b0 : boolean; ASSIGN init(b0) := FALSE; next(b0) :=!b0; FALSE!b0 TRUE b0 An SMV program consists of: Declarations of the state variables; the state variables determine the state space of the model. Assignments that define the valid initial states. Assignments that define the transition relation. 2017-11-06 CSC410 Tutorial 3

Declaring state variables The SMV language provides booleans, enumerative and bounded integersasdata types: boolean: VAR x : boolean; enumerative: VAR st : ready, busy, waiting, stopped ; integers (bounded): VAR n : 1..8; 2017-11-06 CSC410 Tutorial 4

Arrays The SMV language provides also the possibility to define arrays. VAR x : array 0..10 of boolean; -- array of 11 elements y : array 2..4 of 0..10; z : array 0..10 of array 0..5 of {red, green, orange}; ASSIGN init(x[5]) := 1; init(y[2]) := {0,2,4,6,8,10}; -- any value in the set init(z[3][2]) := {green, orange}; Remarks: Array indexes in NuSMV must be constants; 2017-11-06 CSC410 Tutorial 5

Adding a state variable MODULE main VAR b0 : boolean; b1 : boolean;!b0 b0!b1!b1 ASSIGN init(b0) := FALSE; next(b0) :=!b0;!b0 b1 b0 b1 Remarks: The new state space is the cartesian product of the ranges of the variables.!b1 2017-11-06 CSC410 Tutorial 6

Declaring the set of initial states For each variable, we constrain the values that it can assume in the initial states. init(<variable>) := <simple_expression> ; <simple expression> must evaluate to values in the domain of <variable>. If the initial value for a variable is not specified, then the variable can initially assume any value in its domain. 2017-11-06 CSC410 Tutorial 7

Declaring the set of initial states MODULE main VAR b0 : boolean; b1 : boolean;!b0 b0!b1!b1 ASSIGN init(b0) := FALSE; next(b0) :=!b0; init(b1) := FALSE;!b0 b1 b0 b1 2017-11-06 CSC410 Tutorial 8

Expressions Arithmetic operators: + - * / mod - (unary) Comparison operators: =!= > < <= >= Logic operators: & xor! (not) -> <-> Conditional expression: case c1 : e1; c2 : e2; if c1 then e1 else if c2 then e2 else if... else en... TRUE : en; esac Set operators: {v1,v2,...,vn} (set expression) in (set inclusion) tests a value for membership in a set union (set union) takes the union of 2 sets 2017-11-06 CSC410 Tutorial 9

Expressions Conversion operators: toint converts boolean and word to integer. bool converts integer and word to boolean (the result of the conversion is FALSE if the expression resolves to 0, TRUE otherwise). swconst and uwconst convert integer to signed and unsigned word respectively. word1 converts boolean to a single word bit. unsigned and signed convert signed word to unsigned word and vice-versa. 2017-11-06 CSC410 Tutorial 10

Expressions Expressions in SMV do not necessarily evaluate to one value. In general, they can represent a set of possible values. init(var) := {a,b,c} union {x,y,z} ; The meaning of := in assignments is that the lhs can assume non-deterministically a value in the set of values represented by the rhs. A constant c is considered as a syntactic abbreviation for {c} (the singleton containing c). 2017-11-06 CSC410 Tutorial 11

Declaring the transition relation The transition relation is specified by constraining the values that variables can assume in the next state (i.e. after each transition). next(<variable>) := <next_expression> ; <next expression> must evaluate to values in the domain of <variable>. <next expression> depends on current and next variables: next(a) := { a, a+1 } ; next(b) := b + (next(a) - a) ; If no next() assignment is specified for a variable, then the variable can evolve non-deterministically, i.e. it is unconstrained. Unconstrained variables can be used to model non-deterministic inputs to the system. 2017-11-06 CSC410 Tutorial 12

Declaring the transition relation A modulo-4 counter: MODULE main VAR b0 : boolean; b1 : boolean; ASSIGN init(b0) := FALSE; next(b0) :=!b0; 0 1!b0 b0!b1!b1 2 3!b0 b0 b1 b1 init(b1) := FALSE; next(b1) := ((!b0 & b1) (b0 &!b1)); 2017-11-06 CSC410 Tutorial 13

Specifying normal assignments Normal assignments constrain the current value of a variable to the current values of other variables. They can be used to model outputs of the system. <variable> := <simple_expression> ; <simple expression> must evaluate to values in the domain of the <variable>. 2017-11-06 CSC410 Tutorial 14

Specifying normal assignments MODULE main VAR b0 : boolean; b1 : boolean; out : 0..3; ASSIGN init(b0) := FALSE; next(b0) :=!b0; 0 1 2 3 init(b1) := FALSE; next(b1) := ((!b0 & b1) (b0 &!b1)); out := toint(b0) + 2*toint(b1); 2017-11-06 CSC410 Tutorial 15

Restrictions on the ASSIGN In order for an SMV program to be implementable, assignments have the following restrictions: Double assignments rule Each variable may be assigned only once in the program. Circular dependencies rule A variable cannot have cycles in its dependency graph that are not broken by delays. If an SMV program does not respect these restrictions, an error is reported by NuSMV. 2017-11-06 CSC410 Tutorial 16

Double assignments rule Each variable may be assigned only once in the program. init(status) := ready; ILLEGAL! init(status) := busy; next(status) := ready; next(status) := busy; status := ready; status := busy; init(status) := ready; status := busy; next(status) := ready; status := busy; ILLEGAL! ILLEGAL! ILLEGAL! ILLEGAL! 2017-11-06 CSC410 Tutorial 17

Circular dependencies rule A variable cannot have cycles in its dependency graph that are not broken by delays. x := (x + 1) mod 2; ILLEGAL! x := (y + 1) mod 2; y := (x + 1) mod 2; next(x) := x & next(x); next(x) := x & next(y); next(y) := y & next(x); next(x) := x & next(y); next(y) := y & x; ILLEGAL! ILLEGAL! ILLEGAL! LEGAL! 2017-11-06 CSC410 Tutorial 18

The DEFINE declaration DEFINE declarations can be used to define abbreviations. An alternative to normal assignments. Syntax: DEFINE <id> := <simple_expression> ; They are similar to macro definitions. No new state variable is created for defined symbols (hence, no added complexity to model checking). Each occurrence of a defined symbol is replaced with the body of the definition. 2017-11-06 CSC410 Tutorial 19

The DEFINE declaration MODULE main VAR b0 : boolean; b1 : boolean; ASSIGN init(b0) := FALSE; next(b0) :=!b0; init(b1) := FALSE; next(b1) := ((!b0 & b1) (b0 &!b1)); DEFINE out := toint(b0) + 2*toint(b1); 2017-11-06 CSC410 Tutorial 20

Example: A modulo 4 counter with reset The counter can be reset by an external uncontrollable signal. MODULE main VAR b0 : boolean; b1 : boolean; reset : boolean; ASSIGN init(b0) := FALSE; init(b1) := FALSE; next(b0) := case 0 1 reset = TRUE : FALSE; reset = FALSE :!b0; esac; next(b1) := case reset : FALSE; 3 2 TRUE : ((!b0 & b1) (b0 &!b1)); esac; DEFINE out := toint(b0) + 2*toint(b1); 2017-11-06 CSC410 Tutorial 21

Specifying LTL Properties LTL properties are specified via the keyword LTLSPEC : LTLSPEC <ltl_expression> It eventually reaches a state in which out = 3 : LTLSPEC F (out = 3) It is always true that a state with out = 2 follows a state with out = 1 : LTLSPEC G ((out = 1) -> next(out) = 2) An execution leading to a state in which out = 3 can be generated with the specification: LTLSPEC!F (out = 3) 2017-11-06 CSC410 Tutorial 22

Interactive shell NuSMV -int [filename] activates an interactive shell read model [-i filename] reads the input model. set input file filename sets the input model. go reads and initializes NuSMV for verification or simulation. pick state [-v] [-r -i] picks a state from the set of initial state. -v prints the chosen state. -r picks a state from the set of the initial states randomly. -i picks a state from the set of the initial states interactively. simulate [-p -v] [-r -i] -k steps generates a sequence of at most steps states starting from the current state. -p and -v print the generated trace: -p prints only the changed state variables. -v prints all the state variables. -r at every step picks the next state randomly. -i at every step picks the next state interactively. 2017-11-06 CSC410 Tutorial 23

Interactive shell reset resets the whole system (in order to read in another model and to perform verification on it). help shows the list of all commands (if a command name is given as argument, detailed information for that command will be provided). quit stops the program. Argument -h prints the command line help. 2017-11-06 CSC410 Tutorial 24

Inspecting traces goto state state label makes state label the current state (it is used to navigate along traces). show traces [-v] [trace number] shows the trace identified by trace number or the most recently generated trace if trace number is omitted. -v prints prints all the state variables. print current state [-h] [-v] prints out the current state. -v prints all the variables. 2017-11-06 CSC410 Tutorial 25

References NuSMV: Introduction and Examples http://disi.unitn.it/~agiordani/fm/l5/main.pdf 2017-11-06 CSC410 Tutorial 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback