Using Cadence SMV. to verify temporal properties of finite-state machines : Intro to Model Checking April 6, 2011.

Similar documents
Introduction to SMV. Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others Carnegie Mellon University

Introduction to NuSMV

CTL Model Checking with NuSMV

NuSMV Hands-on introduction

A Simple Tutorial on NuSMV

NuSMV 2.2 Tutorial. Roberto Cavada, Alessandro Cimatti, Gavin Keighren, Emanuele Olivetti, Marco Pistore and Marco Roveri

Introduction to SMV Part 2

the possible applications of symbolic model checking to hardware verification. This document describes the syntax and semantics of the SMV input langu

The SMV system DRAFT. K. L. McMillan. Carnegie-Mellon University. February 2, 1992

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Automated Reasoning Lecture 3: The NuSMV Model Checker

A Case Study for CTL Model Update

CSC410 Tutorial. An Introduction to NuSMV. Yi Li Nov 6, 2017

Traffic Light Controller Examples in SMV. Himanshu Jain Bug catching (Fall 2007)

A Meta Hardware Description Language Melasy for Model-Checking Systems

ELECTRONIC devices operate in a variety of environments,

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

WHEN concurrent processes share a resource such as a file

arxiv:cs/ v1 [cs.se] 16 Jul 2004

Lecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213

Linear Temporal Logic. Model Checking and. Based on slides developed by Natasha Sharygina. Carnegie Mellon University.

SMV Project. Arun Autuchirayll, Manjulata Chivukula, Bhargava Konidena. April 28, 2009

Finite State Verification. CSCE Lecture 21-03/28/2017

Finite State Verification. CSCE Lecture 14-02/25/2016

Temporal Logic and Timed Automata

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

Overview. Discrete Event Systems - Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Analysis of a Measured Launch

Introduction to Linear-Time Temporal Logic. CSE 814 Introduction to LTL

Model Checking VHDL with CV

FBD based Software in

Programming Languages and Compilers Qualifying Examination. Answer 4 of 6 questions.1

Specifying circuit properties in PSL. (Some of this material is due to Cindy Eisner and Dana Fisman, with thanks) See also the Jasper PSL Quick Ref.

Model checking Timber program. Paweł Pietrzak

Formal Verification: Practical Exercise Model Checking with NuSMV

Formal Analysis and Verification of a Communication Protocol

SPIN part 2. Verification with LTL. Jaime Ramos. Departamento de Matemática, Técnico, ULisboa

Binary Decision Diagrams and Symbolic Model Checking

CSC2108: Automated Verification Assignment 1 - Solutions

Model Checking for Autonomy Software

Illlll~~ iII! 075l

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Current Versions of the TLA + Tools

Building Graphical Promela Models using UPPAAL GUI

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

NuSMV 2.2 User Manual

The Spin Model Checker : Part I/II

Sérgio Campos, Edmund Clarke

Algorithmic Verification. Algorithmic Verification. Model checking. Algorithmic verification. The software crisis (and hardware as well)

More on Verification and Model Checking

CS115 - Module 3 - Booleans, Conditionals, and Symbols

NuSMV 2.3 User Manual

CS2104 Prog. Lang. Concepts

T Reactive Systems: Kripke Structures and Automata

Verifying IP-Core based System-On-Chip Designs

4 Algorithms. Definition of an Algorithm

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

The Priority Inversion Problem and Real-Time Symbolic Model Checking

The TLV Manual. Elad Shahar Weizmann Institute. Additional Material: Ittai Balaban New York University

Solutions to First Exam, Math 170, Section 002 Spring 2012

EE382V: System-on-a-Chip (SoC) Design

Propositional Calculus. Math Foundations of Computer Science

1 Lexical Considerations

Sugar 2.0 An Introduction

Hardware Design Verification: Simulation and Formal Method-Based Approaches William K Lam Prentice Hall Modern Semiconductor Design Series

Formal Verification by Model Checking

Module 3: New types of data

Timo Latvala. January 28, 2004

OUTLINE SYSTEM-ON-CHIP DESIGN. GETTING STARTED WITH VHDL September 3, 2018 GAJSKI S Y-CHART (1983) TOP-DOWN DESIGN (1)

Project 5 - The Meta-Circular Evaluator

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Design and Analysis of Distributed Interacting Systems

Control Flow. COMS W1007 Introduction to Computer Science. Christopher Conway 3 June 2003

Model Checking with Automata An Overview

Tool demonstration: Spin

Laboratory Exercise 3 Davide Rossi DEI University of Bologna AA

Propositional Calculus. Math Foundations of Computer Science

Normal Order (Lazy) Evaluation SICP. Applicative Order vs. Normal (Lazy) Order. Applicative vs. Normal? How can we implement lazy evaluation?

Overview of SRI s. Lee Pike. June 3, 2005 Overview of SRI s. Symbolic Analysis Laboratory (SAL) Lee Pike

EECS150 - Digital Design Lecture 5 - Verilog Logic Synthesis

Formal Verification of a Commercial Serial Bus Interface Bernard Plessier & Carl Pixley Motorola SSDT-Austin (51 2) , cad-pixleyq .mot.

Solving QBF with SMV. Abstract. 1 Introduction

IT T35 Digital system desigm y - ii /s - iii

Model Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).

Predicate Abstraction Daniel Kroening 1

FSM and Efficient Synthesizable FSM Design using Verilog

Lecture 2: Symbolic Model Checking With SAT

User Manual of Extended NuSMV

Model Checking. Dragana Cvijanovic

Software Model Checking. From Programs to Kripke Structures

CMSC 330: Organization of Programming Languages. Operational Semantics

Verilog for Synthesis Ing. Pullini Antonio

want turn==me wait req2==0

AsmetaSMV: a model checker for AsmetaL models Tutorial

Property Verification for Generic Access Control Models 1

Summer 2017 Discussion 10: July 25, Introduction. 2 Primitives and Define

Parameterized Verification of Deadlock Freedom in Symmetric Cache Coherence Protocols

Modeling and Analysis of Networked Embedded Systems using UPPAAL. Ezio Bartocci

Testing Digital Systems I

EECS150 - Digital Design Lecture 4 - Verilog Introduction. Outline

Transcription:

Using Cadence SMV to verify temporal properties of finite-state machines 15-817: Intro to Model Checking April 6, 2011 Will Klieber 1

Remember (π f ) implies (π Review of Temporal Logic a a is true now X a a is true in the next t state F a a will be true sometime in the Future G a a will be Globally true in the future a U b a will hold true Until b becomes true F f ). Path Quantifiers: E f : There exists a path (from the current state) on which f is true. A f : Along all paths (from the current state), f is true. 2

EF g : it is possible that g will be true 3

AF g : g will necessarily be true sometime in the future 4

AG g : g is an invariant 5

EG g : on some path, g is always true 6

SMV Input: Model (specified in the SMV system-description language) Properties to verify (in CTL or LTL) Output: All properties are true or Counterexample trace SMV was originally developed by Ken McMillan at CMU (1992) Two versions: Cadence SMV NuSMV Both support an older-style syntax that is used in this presentation. Cadence SMV also supports a new-style syntax that is more expressive. Cadence SMV can run on both Windows and Linux. 7

Microwave Oven Example Suppose we are designing a controller for a microwave oven. The heating element should be off if the is open. (Else the user gets cooked!) If the user presses the Start button when the is open, then enter an error mode. Leave the error mode when the user presses the Reset button. ~ Error Close Start (with open) ~ Close Error Reset Start oven Done Heat 8

Microwave Oven Example MODULE main start, reset, closed : boolean; error, heat : boolean; ASSIGN init(error) := 0; init(heat) := 0; next(error) := start & ~closed : 1; closed & reset : 0; 1 : error; next(heat) := start & closed : 1; ~closed : 0; 1 : heat; SPEC AG (!closed -> AX!heat) SPEC EF (heat) ~ Error Error Close Start (with open) Reset ~ Close Start oven Done Note: foo := cond1 : expr1 cond2 : expr2 cond3 : expr3 esac means if (cond1) {foo = expr1} else if (cond2) {foo = expr2} else if (cond3) {foo = expr3} Integer 1 is interpreted as boolean true. Heat 9

Microwave Oven Example MODULE main start, reset, closed : boolean; error, heat : boolean; ASSIGN init(error) := 0; init(heat) := 0; next(error) := start & ~closed : 1; closed & reset : 0; 1 : error; next(heat) := start & closed : 1; ~closed : 0; 1 : heat; SPEC AG (!closed -> AX!heat) SPEC EF (heat) ~ Error Close Error Start (with open) Reset ~ Close Start oven Done Heat Note: SMV code is not normally created from a state diagram. (Indeed, for many systems, the state space is too large to explicitly create the state diagram.) Rather, the SMV code is created from the underlying logic of the system (e.g., a digital circuit in hardware verification). 10

Microwave Example in Cadence SMV http://www.kenmcmil.com/smv.html 11

simple01.smv MODULE main request : boolean; state ASSIGN : {ready,busy}; init(state) := ready; next(state) := state = ready & request : busy; 1 : {ready,busy}; // non-det choice SPEC AG(request -> AF state = busy) Exercise: Draw the corresponding Kripke structure. The state variable is declared to take one of two enumerated values: ready and busy. Note: foo := cond1 : expr1 cond2 : expr2 cond3 : expr3 esac means if (cond1) {foo = expr1} else if (cond2) {foo = expr2} else if (cond3) {foo = expr3} Integer 1 is interpreted as boolean true. 12

Three-Bit Counter; Modules MODULE counter_cell(carry_in) value : boolean; ASSIGN init(value) := 0; next(value) := value + carry_in mod 2; DEFINE carry_out := value & carry_in; MODULE main bit0 : counter_cell(1); bit1 : counter_cell(bit0.carry_out); bit2 : counter_cell(bit1.carry_out); SPEC AG AF bit2.carry_out 13

Peterson s Mutual-Exclusion Algorithm (broken version) MODULE agent(req_self,req_other,turn,num) pc : {L0, L1, L3, L4 }; ASSIGN init(req_self):= 0; init(pc):= L0; next(pc):= pc = L0 : { L0, L1 }; pc = L1 : L3; pc = L3 & ( req_other ) : L3; pc = L3 : L4; pc = L4 : L0; next(req_self):= pc = L1 : 1; pc = L4 : 0; 1 : req_self; MODULE main turn : boolean; req0 : boolean; req1 : boolean; agent0: L0: Idle; L1: req0 = 1; //request to enter critical section L3: while (req1 == 1) {}; /* critical region */ L4: req0 = 0; //clear the request agent1: L0: Idle; L1: req1 = 1; //request to enter critical section L3: while (req0 == 1) {}; /* critical region */ L4: req1 = 0; //clear the request DEFINE request:= pc = L1; critical:= pc = L4; FAIRNESS running agent0 : process agent(req0,req1,turn,0); agent1 : process agent(req1,req0,turn,1); safe: SPEC AG(!agent0.critical!agent1.critical ); fairness0: SPEC AG( agent0.request -> EF agent0.critical ); fairness1: SPEC AG( agent1.request -> EF agent1.critical ); 14

MODULE agent(req_self,req_other,turn,num) pc : {L0, L1, L2, L3, L4 }; ASSIGN init(req_self):= 0; init(pc):= L0; next(pc):= pc = L0 : { L0, L1 }; pc = L1 : L2; pc = L2 : L3; pc = L3 & (turn =!num) & req_other: L3; pc = L3 : L4; pc = L4 : L0; next(req_self):= pc = L1 : 1; pc = L4 : 0; 1 : req_self; next(turn):= pc = L2 :!num; 1 : turn; DEFINE request:= pc = L1; critical:= pc = L4; FAIRNESS running MODULE main turn : boolean; req0 : boolean; req1 : boolean; Peterson s Mutex (Fixed) agent0: L0: Idle; L1: req0 = 1; //request to enter critical section L2: turn = 1; //give priority to the other procress L3: while (turn == 1 && req1 == 1) {}; L4: req0 = 0; //clear the request agent1: L0: Idle; L1: req1 = 1; //request to enter critical section L2: turn = 0; //give priority to the other procress L3: while (turn == 0 && req0 == 1) {}; L4: req1 = 0; //clear the request agent0 : process agent(req0,req1,turn,0); agent1 : process agent(req1,req0,turn,1); safe: SPEC AG(!agent0.critical!agent1.critical ); fairness0: SPEC AG( agent0.request -> EF agent0.critical ); fairness1: SPEC AG( agent1.request -> EF agent1.critical ); 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback