Presentation is loading. Please wait.

Presentation is loading. Please wait.

2/19/20031 Introduction to SMV. 2/19/20032 Useful Links CMU Model checking homepage SMV windows version

Published byEleanor Dalton Modified over 7 years ago

Similar presentations

Presentation on theme: "2/19/20031 Introduction to SMV. 2/19/20032 Useful Links CMU Model checking homepage SMV windows version"— Presentation transcript:

1 2/19/20031 Introduction to SMV

2 2/19/20032 Useful Links CMU Model checking homepage http://www.cs.cmu.edu/~modelcheck/ SMV windows version http://www.cs.cmu.edu/~modelcheck/smv.html#nt SMV man page (must read) http://www.cs.cmu.edu/~dongw/smv.txt SMV manual http://www.cs.cmu.edu/~modelcheck/smv/smvmanual.ps

3 2/19/20033 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem, 1993. Finite-state Systems described in a specialized language Specifications given as CTL formulas + fairness, safety, liveness, deadlock Internal representation using OBDDs Automatically verifies specification or produces a counterexample

4 2/19/20034 Language Characteristics Allows description of synchronous and asynchronous systems Modularized and hierarchical descriptions Finite data types: Boolean and enumerated Nondeterminism

5 2/19/20035 Variable Assignments Assignment to initial state: init(value) := 0; Assignment to next state (transition relation) next(value) := value + carry_in mod 2; Assignment to current state (invariant) carry_out := value & carry_in; Use either init-next or invariant - never both SMV is a parallel assignment language

6 2/19/20036 A Sample SMV Program MODULE main VAR request: boolean; state: {ready, busy}; ASSIGN init(state) := ready; next(state) := case state=ready & request: busy; 1: {ready, busy}; esac; SPEC AG(request -> AF (state = busy))

7 2/19/20037 The Case Expression case is an expression, not a statement Guards are evaluated sequentially. The first one that is true determines the resulting value If none of the guards are true, an arbitrary valid value is returned Always use an else guard!

8 2/19/20038 Nondeterminism Completely unassigned variable can model unconstrained input. {val_1, …, val_n} is an expression taking on any of the given values nondeterministically. Use union when you have expressions rather than values Nondeterministic choice can be used to: Model an implementation that has not been refined yet (e.g., abstract models of complex protocols) Abstract behavior

9 2/19/20039 Types Boolean 1 is true and 0 is false Enumerated VAR a : {red, blue, green}; b : {1, 2, 3}; c : {1, 5, 7}; ASSIGN next(b) := case b<3 : b+1; 1 : 1; esac; Numerical operations must be properly guarded User can define its own data structures

10 2/19/200310 ASSIGN and DEFINE VAR a: boolean; ASSIGN a := b | c; declares a new state variable a becomes part of invariant relation DEFINE d:= b | c; is effectively a macro definition, each occurrence of d is replaced by b | c no extra BDD variable is generated for d the BDD for b | c becomes part of each expression using d not possible to provide non-determinism

11 2/19/200311 Next Expressions can refer to the value of a variable in the next state Examples: VAR a,b : boolean; ASSIGN next(b) := !b; a := next(b); ASSIGN next(a) := !next(b) ( a is the negation of b, except for the initial state) Disclaimer: different SMV versions differ on this

12 2/19/200312 Assignment Errors Next/current value of a variable is assigned more than once (process) Initial value of a variable is assigned more than once (program) Initial/Current value of a variable are both assigned (program) Current/Next value of a variable are both assigned (program) Circular assignments

13 2/19/200313 Circular definitions … are not allowed! This is illegal: a := next(b); next(b) := c; c := a; This is o.k. init(a) := 0; next(a) := !b; init(b) := 1; next(b) := !a; init(c) := 0; next(c) := a & next(b);

14 2/19/200314 Modules and Hierarchy Modules can be instantiated many times, each instantiation creates a copy of the local variables Each program has a module main Scoping Variables declared outside a module can be passed as parameters Internal variables of a module can be used in enclosing modules (submodel.varname). Parameters are passed by reference.

15 2/19/200315 MODULE main VAR bit0 : counter_cell(1); bit1 : counter_cell(bit0.carry_out); bit2 : counter_cell(bit1.carry_out); SPECAG AF bit2.carry_out MODULE counter_cell(carry_in) VARvalue : boolean; ASSIGN init(value) := 0; next(value) := value + carry_in mod 2; DEFINE carry_out := value & carry_in;

16 2/19/200316 Module Composition Synchronous composition All assignments are executed in parallel and synchronously. A single step of the resulting model corresponds to a step in each of the components. Asynchronous composition A step of the composition is a step by exactly one process. Variables, not assigned in that process, are left unchanged.

17 2/19/200317 Asynchronous Composition MODULE main VAR gate1: process inverter(gate3.output); gate2: process inverter(gate1.output); gate3: process inverter(gate2.output); SPEC (AG AF gate1.output) SPEC(AG AF !gate1.output) MODULE inverter(input) VAR output: boolean; ASSIGN init(output) := 0; next(output) := !input;

18 2/19/200318 Counterexamples -- specification AG AF (!gate1.output) is false -- as demonstrated by the following execution state 2.1: gate1.output = 0 gate2.output = 0 gate3.output = 0 state 2.2: [executing process gate1] -- loop starts here -- state 2.3: gate1.output = 1 [stuttering]

19 2/19/200319 Asynchronous Composition (Revisited) MODULE main VAR gate1: process inverter(gate3.output); gate2: process inverter(gate1.output); gate3: process inverter(gate2.output); SPEC (AG AF gate1.output) SPEC(AG AF !gate1.output) MODULE inverter(input) VAR output: boolean; ASSIGN init(output) := 0; next(output) := !input union output;

20 2/19/200320 Example: Mutual Exclusion Module main VAR semaphore : boolean; proc1 : process user; proc2 : process user; ASSIGN init(semaphore) := 0; SPEC AG !(proc1.state = critical) SPEC AG !(proc2.state = critical) SPEC AG(proc1.state=entering -> AF proc1.state=critical) Module user VAR state : {idle, entering, critical, exiting}; ASSIGN init(state) := idle next(state) := case state = idle : {idle, entering}; state = entering & ! semaphore : critical; state = critical : {critical, exiting}; state = exiting : idle; 1 : state; esac; next(semaphore) := case state = entering : 1; state = exiting : 0; 1 : semaphore; esac;

21 2/19/200321 Output of Semaphore Example

22 2/19/200322 Run SMV smv [options] inputfile -c cache-size -k key-table-size -m mini-cache-size -v verbose -r prints out statistics about reachable state space -checktrans checks whether the transition relation is total

23 2/19/200323 SMV Options –f computes set of reachable states first Model checking algorithm traverses only the set of reachable states instead of complete state space. useful if reachable state space is a small fraction of total state space

24 2/19/200324 Variable Reordering Variable reordering is crucial for small BDD sizes and speed. Generally, variables which are related need to be close in the ordering. –i filename –o filename Input, output BDD variable ordering to given file. -reorder Invokes automatic variable reordering

Download ppt "2/19/20031 Introduction to SMV. 2/19/20032 Useful Links CMU Model checking homepage SMV windows version"

Similar presentations

Etter/Ingber Engineering Problem Solving with C Fundamental Concepts Chapter 4 Modular Programming with Functions.

Etter/Ingber Engineering Problem Solving with C Fundamental Concepts Chapter 4 Modular Programming with Functions.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Introduction to SMV Part 2

Introduction to SMV Part 2
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Models of Concurrency Manna, Pnueli.

Models of Concurrency Manna, Pnueli.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.

1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
Tutorial 12: Enhancing Excel with Visual Basic for Applications

Tutorial 12: Enhancing Excel with Visual Basic for Applications
Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.

Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.
Introduction to Unix – CS 21 Lecture 11. Lecture Overview Shell Programming Variable Discussion Command line parameters Arithmetic Discussion Control.

Introduction to Unix – CS 21 Lecture 11. Lecture Overview Shell Programming Variable Discussion Command line parameters Arithmetic Discussion Control.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.

CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Gary MarsdenSlide 1University of Cape Town Statements & Expressions Gary Marsden Semester 2 – 2000.

Gary MarsdenSlide 1University of Cape Town Statements & Expressions Gary Marsden Semester 2 – 2000.
© 2011 Carnegie Mellon University Introduction to SMV Part 2 Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others.

© 2011 Carnegie Mellon University Introduction to SMV Part 2 Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others.
© 2011 Carnegie Mellon University Introduction to SMV Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others.

© 2011 Carnegie Mellon University Introduction to SMV Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others.

Similar presentations

Ads by Google