Introduction to SMV Part 2

Similar documents
Introduction to SMV. Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others Carnegie Mellon University

Traffic Light Controller Examples in SMV. Himanshu Jain Bug catching (Fall 2007)

Introduction to NuSMV

Using Cadence SMV. to verify temporal properties of finite-state machines : Intro to Model Checking April 6, 2011.

NuSMV 2.2 Tutorial. Roberto Cavada, Alessandro Cimatti, Gavin Keighren, Emanuele Olivetti, Marco Pistore and Marco Roveri

CTL Model Checking with NuSMV

NuSMV Hands-on introduction

The SMV system DRAFT. K. L. McMillan. Carnegie-Mellon University. February 2, 1992

the possible applications of symbolic model checking to hardware verification. This document describes the syntax and semantics of the SMV input langu

A Simple Tutorial on NuSMV

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

WHEN concurrent processes share a resource such as a file

Automated Reasoning Lecture 3: The NuSMV Model Checker

CSC410 Tutorial. An Introduction to NuSMV. Yi Li Nov 6, 2017

Formal Verification: Practical Exercise Model Checking with NuSMV

Lecture 2: Symbolic Model Checking With SAT

SPIN part 2. Verification with LTL. Jaime Ramos. Departamento de Matemática, Técnico, ULisboa

SMV Project. Arun Autuchirayll, Manjulata Chivukula, Bhargava Konidena. April 28, 2009

Formal Verification of a Commercial Serial Bus Interface Bernard Plessier & Carl Pixley Motorola SSDT-Austin (51 2) , cad-pixleyq .mot.

arxiv:cs/ v1 [cs.se] 16 Jul 2004

Predicate Abstraction Daniel Kroening 1

CSC2108: Automated Verification Assignment 1 - Solutions

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Formal Verification by Model Checking

More on Verification and Model Checking

Illlll~~ iII! 075l

Verifying IP-Core based System-On-Chip Designs

Formal Analysis and Verification of a Communication Protocol

G52CON: Concepts of Concurrency

Lecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213

Having a BLAST with SLAM

Temporal Logic and Timed Automata

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Having a BLAST with SLAM

Linear Temporal Logic. Model Checking and. Based on slides developed by Natasha Sharygina. Carnegie Mellon University.

Finite State Verification. CSCE Lecture 21-03/28/2017

7.3.3 Same Inputs in Antecedent and Consequent

Finite State Verification. CSCE Lecture 14-02/25/2016

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

User Manual of Extended NuSMV

CS 510/13. Predicate Abstraction

Overview. Discrete Event Systems - Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Model-Checking Concurrent Systems

Proving the Correctness of Distributed Algorithms using TLA

An Introduction to UPPAAL. Purandar Bhaduri Dept. of CSE IIT Guwahati

Model Checkers for Test Case Generation: An Experimental Study

Software Model Checking. From Programs to Kripke Structures

Verification of Bakery algorithm variants for two processes

A Verification Method for Software Safety Requirement by Combining Model Checking and FTA Congcong Chen1,a, Fuping Zeng1,b, Minyan Lu1,c

Model Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).

Having a BLAST with SLAM

G52CON: Concepts of Concurrency

Despite some help from modeling tools such as UML, the problem of ensuring the quality of. 1 of :30 AM

Introduction to Linear-Time Temporal Logic. CSE 814 Introduction to LTL

Formal modelling and verification in UPPAAL

Algorithmic Verification. Algorithmic Verification. Model checking. Algorithmic verification. The software crisis (and hardware as well)

Formal Specification and Verification

Design and Analysis of Distributed Interacting Systems

Having a BLAST with SLAM

Model checking Timber program. Paweł Pietrzak

Software Model Checking. Xiangyu Zhang

Model Checking VHDL with CV

Acceleration of SAT-based Iterative Property Checking

Model-Driven Verifying Compilation of Synchronous Distributed Applications

An Automatic Design Flow from Formal Models to FPGA

Formal Verification. Lecture 7: Introduction to Binary Decision Diagrams (BDDs)

A Case Study for CTL Model Update

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

The UPPAAL Model Checker. Julián Proenza Systems, Robotics and Vision Group. UIB. SPAIN

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Temporal Logic of Actions (TLA) (a brief introduction) Shmuel Katz Computer Science Department The Technion

Automated Refinement Checking of Asynchronous Processes. Rajeev Alur. University of Pennsylvania

Binary Decision Diagrams and Symbolic Model Checking

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

Design Constraints in Symbolic Model Checking

NuSMV 2.2 User Manual

Specifying circuit properties in PSL. (Some of this material is due to Cindy Eisner and Dana Fisman, with thanks) See also the Jasper PSL Quick Ref.

Software Engineering using Formal Methods

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

Timers 1 / 46. Jiffies. Potent and Evil Magic

Concurrent Preliminaries

Automata-Theoretic LTL Model Checking. Emptiness of Büchi Automata

Software Engineering using Formal Methods

Model Checking with Automata An Overview

Verifying Liveness Properties of ML Programs

! Why is synchronization needed? ! Synchronization Language/Definitions: ! How are locks implemented? Maria Hybinette, UGA

Predicate Abstraction and Refinement Techniques for Verifying Verilog

Formal Methods for Software Development

Software Model Checking with Abstraction Refinement

TDT Appendix E Interconnection Networks

Applications of Formal Verification

Chapter 6: Process [& Thread] Synchronization. CSCI [4 6] 730 Operating Systems. Why does cooperation require synchronization?

The Spin Model Checker : Part I/II

want turn==me wait req2==0

Multi-step transactions specification and verification in a mobile database community

An Industry Proof-of-Concept Demonstration of MC/DC from Automated Combinatorial Testing

Applications of Formal Verification

Introduction to CBMC: Part 1

Transcription:

Introduction to SMV Part 2 Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others 2011 Carnegie Mellon University

Brief Review 2011 Carnegie Mellon University

Symbolic Model Verifier (SMV) Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem, 1993. Finite-state Systems described in a specialized language Specifications given as CTL formulas Internal representation using ROBDDs Automatically verifies specification or produces a counterexample 2/18/2005 2011 Carnegie 3 Mellon University 3

A Sample SMV Program (short.smv) MODULE main VAR request: boolean; state: {ready, busy}; ASSIGN init(state) := ready; next(state) := case state=ready & request: busy; TRUE : {ready, busy}; esac; SPEC AG(request - > AF (state = busy)) 2/18/2005 2011 Carnegie 4 Mellon University 4

A Three-Bit Counter MODULE main VAR bit0 : counter_cell(true); bit1 : counter_cell(bit0.carry_out); bit2 : counter_cell(bit1.carry_out); SPEC AG AF bit2.carry_out MODULE counter_cell(carry_in) VAR value : boolean; ASSIGN init(value) := FALSE; next(value) := value xor carry_in; DEFINE carry_out := value & carry_in; value + carry_in mod 2 2011 Carnegie Mellon University 5

module instantiations in val out bit0 module declaration in val out in val out bit1 in val out bit2 2011 Carnegie Mellon University 6

Inverter Ring MODULE main VAR gate1 : process inverter(gate3.output); gate2 : process inverter(gate1.output); gate3 : process inverter(gate2.output); SPEC (AG AF gate1.output) & (AG AF!gate1.output) MODULE inverter(input) VAR output : boolean; ASSIGN init(output) := FALSE; next(output) :=!input; FAIRNESS running 2011 Carnegie Mellon University 7

Fairness FAIRNESS Ctlform Assumed to be true infinitely often Model checker only explores paths satisfying fairness constraint Each fairness constraint must be true infinitely often If there are no fair paths All existential formulas are false All universal formulas are true FAIRNESS running 2011 Carnegie Mellon University 8

Can A TRUE Result of Model Checker be Trusted Antecedent Failure [Beatty & Bryant 1994] A temporal formula AG (p q) suffers an antecedent failure in model M iff M AG (p q) AND M AG ( p) Vacuity [Beer et al. 1997] A temporal formula ϕ is satisfied vacuously by M iff there exists a sub-formula p of ϕ such that M ϕ[p q] for every other formula q e.g., M AG (r AF a) and M AG (r AF a) and AG (r AF r) and AG (r AF FALSE), 2011 Carnegie Mellon University 9

Vacuity Detection: Single Occurrence ϕ is vacuous in M iff there exists an occurrence of a subformula p such that M ϕ[p TRUE] and M ϕ[p FALSE] M AG (req AF TRUE) M AG TRUE M AG (req AF FALSE) M AG req M AG (TRUE AF ack) M AG AF ack M AG (FALSE AF ack) M AG TRUE 2011 Carnegie Mellon University 10

Detecting Vacuity in Multiple Occurrences: ACTL An ACTL ϕ is vacuous in M iff there exists an a subformula p such that M ϕ[p x], where x is a non-deterministic variable Is AG (req AF req) vacuous? Should it be? M AG (x AF x) M AG TRUE Always vacuous!!! Is AG (req AX req) vacuous? Should it be? M AG (x AX x) can t reduce Can be vacuous!!! 2011 Carnegie Mellon University 11

Run NuSMV NuSMV [options] inputfile - int - lp interactive mode list all properties - n X check property number X - ctt check totality of transition relation - old compatibility mode - ofm file output flattened model 2011 Carnegie Mellon University 12

Using NuSMV in Interactive Mode Basic Usage go prepare model for verification check_ctlspec verify properties Simulation pick_state [- i] [- r] pick initial state for simulation [interactively] or [randomly] simulate [- i] [r] s simulate the model for s steps [interactively] or [randomly] show_traces show active traces 2011 Carnegie Mellon University 13

Useful Links NuSMV home page http://nusmv.fbk.eu/ NuSMV tutorial http://nusmv.fbk.eu/nusmv/tutorial/v25/tutorial.pdf NuSMV user manual http://nusmv.fbk.eu/nusmv/userman/v25/nusmv.pdf NuSMV FAQ http://nusmv.fbk.eu/faq.html NuSMV on Andrew /afs/andrew.cmu.edu/usr6/soonhok/public/nusmv-zchaff-2.5.3-x86_64-redhatlinux-gnu/ NuSMV examples <NuSMV>/share/nusmv/examples Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem, 1993 http://www.kenmcmil.com/pubs/thesis.pdf 2011 Carnegie Mellon University 14

Today: 3 Examples Mutual Exclusion Bus Protocol Traffic Light Controller 2011 Carnegie Mellon University 15

Example 1: Mutual Exclusion Two processes want access to a shared resource they go through idle, trying, critical states Safety (Mutual Exclusion) Only one process can be in the critical section at any given time AG (!(p0 = critical & p1 = critical) ) Liveness (No Starvation) If a process is trying to enter critical section, it eventually enters it AG (p0 = trying -> AF p0 = critical) 2011 Carnegie Mellon University 16

SMV Example: Bus Protocol Ed Clarke Daniel Kroening Carnegie Mellon University

Overview Node 1 Node 2 Node 3 Node 4 Preliminaries: l Single, shared bus l Every node can broadcast on this bus Design goals: l Collision free operation l Priorities for the nodes Similar busses are used in the automotive industry l CAN l Byteflight

Basic Idea Operation Principle l Round based algorithm l First person to start sending gets the bus Ü Achieve design goals by: l Assign unique time to each node l Guarantees Collision free operation l The node with the lower time gets priority

Example ¹ º Node 1 Node 2 Node 3 Node 4 Bus  time

Example ¹ º Node 1 Node 2 Node 3 Node 4 Hm, I won t send Bus time

Example ¹ º Node 1 Node 2 Node 3 Node 4 I will send! Bus time

Example ¹ º Node 1 Node 2 Node 3 Node 4 Bus ¹ time

Example ¹ º Node 1 Node 2 Node 3 Node 4 Bus º time

Example ¹ º Node 1 Node 2 Node 3 Node 4 Bus» time

Example ¹ º Node 1 Node 2 Node 3 Node 4 RESET CLOCK! Bus  Start of new Cycle time

Example ¹ º Node 1 Node 2 Node 3 Node 4 Hm, I won t send Bus time

SMV Model Design: l A state machine controls each node l Counter keeps track of clock Counter: l Reset if someone sends l Increment otherwise MODULE node(bus_active) VAR counter: 0.. 99; ASSIGN next(counter):= case bus_active : 0; counter < 99: counter + 1; TRUE: 99; esac;

SMV Model Design: l A state machine controls each node l Counter keeps track of the clock beginning Bus busy beginning Skip bus_active Wait Sending counter=priority

SMV Model MODULE node(priority, bus_active) VAR counter: 0.. 99; state: { busy, skip, waiting, sending }; ASSIGN init(state):=busy; next(state):= case state=busy & beginning : { skip, waiting }; state=busy : busy; state=skip & bus_active : busy; state=skip : skip; state=waiting & bus_active : waiting; state=waiting & counter=priority: sending; state=waiting: waiting; state=sending: { busy, sending }; esac;

SMV Model MODULE main VAR node1: node(1, bus_active); node2: node(2, bus_active); node3: node(3, bus_active); node4: node(4, bus_active); DEFINE bus_active:=node1.is_sending node2.is_sending node3.is_sending node4.is_sending;

Properties Desired Properties l Safety: Only one node uses the bus at a given time SPEC AG (node1.is_sending -> (!node2.is_sending &!node3.is_sending &!node4.is_sending)) SPEC AG (node2.is_sending -> (!node1.is_sending &!node3.is_sending &!node4.is_sending)) SPEC AG (node3.is_sending -> (!node1.is_sending &!node2.is_sending &!node4.is_sending)) SPEC AG (node4.is_sending -> (!node1.is_sending &!node2.is_sending &!node3.is_sending))

Properties Desired Properties l Liveness: a node that is waiting for the bus will eventually get it, given that the nodes with higher priority are fair FAIRNESS node1.is_skipping FAIRNESS node1.is_skipping & node2.is_skipping FAIRNESS node1.is_skipping & node2.is_skipping & node3.is_skipping SPEC AG AF bus_active SPEC AG(node1.is_waiting -> AF node1.is_sending) SPEC AG(node2.is_waiting -> AF node2.is_sending) SPEC AG(node3.is_waiting -> AF node3.is_sending) SPEC AG(node4.is_waiting -> AF node4.is_sending)

Traffic Light Controller based on slides by Himanshu Jain

Outline v Modeling Traffic Light Controller in SMV v Properties to Check v Four different SMV models for traffic light controller

Scenario N W S

No turning N û û W S

Binary N traffic lights W S

Safety N Property W This should not happen S

Safety N Property W This should not happen S

Liveness N Property W When will the stupid light become green again S

Liveness N Property W Thank God! Traffic in each direction must be served S

Let s Model all of this in NuSMV 43

SMV variables N North.Go=F 44 Three Boolean variables track the status of the lights W South.Go=F West.Go=T S

SMV variables N 45 Three Boolean variables sense the traffic in each direction South.Sense =T West.Sense =F W North.Sense =T S

Properties 1/2 46 v Mutual exclusion v AG!(West.Go & (North.Go South.Go)) v Liveness (e.g., in North direction) v AG (North.Sense &!North.Go -> AF North.Go) v Similarly for South and West directions

Properties 2/2 47 v No strict sequencing We don t want the traffic lights to give turns to each other (if there is no need for it) For example, if there is no traffic on west lane, we do not want West.Go becoming TRUE periodically v We can specify such properties partially AG (West.Go -> A[West.Go U!West.Go & A[!West.Go U South.Go North.Go]]) See code for other such properties We want these properties to FAIL

SMV N 48 modules West module will control North module will control W South module will control Main module Initialize variables Start s all modules S

What if north light is always green and there is always traffic in north direction??? N W S

Fairness Constraints v What if a light is always green and there is always traffic in its direction v We will avoid such scenarios by means of fairness constraints v FAIRNESS!(Sense & Go) v FAIRNESS running v In any infinite execution, there are infinite number of states where either the light is red or there is no traffic in its direction

Implementations

Some more variables v To ensure mutual exclusion We will have two Boolean variables NS_lock: denotes locking of north/south lane EW_lock: denotes locking of west lane v To remember that there is traffic on a lane Boolean variable: North.Req If North.Sense becomes TRUE, then North.Req is set to TRUE Similarly, for South.Req and West.Req

traffic1.smv: main module MODULE main VAR - - lock for North- South direction NS_lock : boolean; - - lock for East- West direction EW_lock : boolean; North : process North (NS_lock, EW_lock, South.Go); South : process South (NS_lock, EW_lock, North.Go); West : process West (EW_lock, NS_lock); ASSIGN init (NS_lock) := FALSE; init (EW_lock) := FALSE;

traffic1.smv: North module 1/2 MODULE North (NS_lock, EW_lock, FriendGo) VAR Go : boolean; Sense : boolean; Req : boolean; State : {idle, entering, critical, exiting}; ASSIGN init (State) := idle; next (State) := case State = idle & Req : entering; State = entering &!EW_lock : critical; State = critical &!Sense : exiting; State = exiting : idle; TRUE : State; esac;

traffic1.smv: North module 2/2 next (NS_lock) := case State = entering &!EW_lock : TRUE; State = exiting &!FriendGo : FALSE; TRUE: NS_lock; esac; init (Req) := FALSE; next (Req) := case State = exiting : FALSE; Sense: TRUE; TRUE: Req; esac; init (Go) := FALSE; next (Go) := case State = critical : TRUE; State = exiting : FALSE; TRUE : Go; esac;

56 South is symmetric West is a bit simpler (no East) Let s run NuSMV!!!

Mutual Exclusion CEX 1. All variables FALSE 2. North.Sense = T (North Run) 3. North.Sense=F, North.Req = T 4. North.State = entering 5. NS_lock=T, North.Sense=T,North.State=critical 6. South.Sense=T (South Run) 7. South.Sense=F, South.Req=T 8. South.State = entering 9. South.State = critical 10. South.Go = T, South.State = exiting 11. West.Sense=T (West Run) 12. West.Sense=F, West.Req=T 13. West.State=entering 14. NS_lock=F, South.Go=F,South.Req=F, South.State=idle (South Run) 15. EW_lock=T, West.State=critical,West.Sense=T (West Run) 16. North.Go=T, North.Sense=F (North Run) 17. West.Go=T, West.Sense=F (West Run)

traffic1.smv: North module 1/2 MODULE North (NS_lock, EW_lock, FriendGo) VAR Go : boolean; Sense : boolean; Req : boolean; State : {idle, entering, critical, exiting}; case ASSIGN init (State) := idle; next (State) := case State = idle & Req : entering; State = entering &!EW_lock : critical; State = critical &!Sense : exiting; State = exiting : idle; TRUE : State; esac; init (Go) := FALSE; next (Go) := State = critical : TRUE; State = exiting : FALSE; TRUE : Go; esac;

traffic2.smv: fix DEFINE EnterCritical := State = entering &!EW_lock; ASSIGN init (State) := idle; next (State) := case State = idle & Req : entering; EnterCritical : critical; State = critical &!Sense : exiting; State = exiting : idle; TRUE : State; esac; init (Go) := FALSE; next (Go) := case EnterCritical : TRUE; State = exiting : FALSE; TRUE : Go; esac;

Model checking traffic2.smv v Mutual exclusion property is satisfied v Liveness property for North direction fails v AG ( (Sense &!Go) - > AF Go) IN North

CEX for Liveness is a Fair Cycle 1.6 North.State = entering North.EnterCritical = T all others are idle 1.10 South is given a turn, but does nothing 1.19 West.State = idle 1.15 West.State = critical 1.16 North is given a turn, but can t get a lock

Add Turn to Ensure Liveness v This is in traffic3.smv v Use Peterson s mutual exclusion algorithm v Introduce a variable Turn Turn : {nst, wt} If I have just exited the critical section, offer Turn to others

traffic3.smv: Adding Turn DEFINE EnterCritical := State = entering &!EW_lock & (Turn = nst!otherreq); next (Turn) := case State = exiting & Turn = nst &!FriendReq : wt; TRUE : Turn; esac; Similar change in West module

Model check again v Mutual still exclusion holds! v What about liveness properties In north direction? HOLDS In south direction? HOLDS In west direction? FAILS L

traffic4.smv v Two extra variables to distinguish between North and South completion North.Done, South.Done v When North exits critical section v North.Done is set to TRUE v Similarly for South.Done v When West exits v both South.Done and North.Done are set to FALSE

traffic4.smv: North Module init (Done) := FALSE; next (Done) := case State = exiting : TRUE; TRUE : Done; esac; next (Turn) := case State = exiting & Turn = nst &!FriendReq : wt; State = exiting & Turn = nst & FriendDone & OtherReq : wt; TRUE : Turn; esac;

Hurray! v Mutual exclusion holds v Liveness for all three directions holds v No Strict sequencing

Possible extensions v Allow for north, south, east, and west traffic v Allow for cars to turns v Replace specific modules by a single generic one Instantiate it four times Once for each direction v Ensure properties without using fairness constraints

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback