Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 9: SMV: An Introduction

Published byΛουκανός Δυοβουνιώτης Modified over 4 years ago

Similar presentations

Presentation on theme: "Lecture 9: SMV: An Introduction"— Presentation transcript:

1 Lecture 9: SMV: An Introduction
Based on lectures by Dong Wang and Marius Minea.

2 Useful Links CMU Model checking homepage
SMV windows version SMV man page (must read) SMV manual

3 SMV: Symbolic Model Verifier
Ken McMillan, Symbolic Model Checking: An Approach to State Explosion Problem, 1993. Finite-state Systems described in a specialized language Specifications given as CTL formulas Internal representation using BDDs Automatically verifies specification or produce counterexamples

4 Language Characteristics
Allows description of synchronous and asynchronous systems Modularized and hierarchical descriptions Finite data types: boolean, enum, int etc Nondeterminism Variety of specifications: safety, liveness, deadlock freedom

5 A Sample SMV Program MODULE main VAR request: boolean;
state: {ready, busy}; ASSIGN init(state) := ready; next(state) := case state=ready & request: busy; 1: {ready, busy}; esac; SPEC AG(request -> AF (state = busy))

6 Variable Assignments Assignment to initial state: init(value) := 0;
Assignment to next state: transition relation next(value) := value + carry_in mod 2; Assignment to current state: invariant relation carry_out := value & carry_in; SMV is a parallel assignment language all assignments executed in parallel and simultaneously SMV checks for circularities and duplicate assignments

7 Specifications EF p : from all initial states, a state where p holds is reachable. A[p U q] : p remains true until q is true. AG AF p : p is true infinitely often on very compution path. AG (req -> AF ack) : any request will be eventually acknowledged.

8 ASSIGN and DEFINE VAR a: boolean; ASSIGN a := b | c;
declares a new state variable a becomes part of invariant relation DEFINE d:= b | c; is effectively a macro definition, each occurrence of d is replaced by b | c no extra BDD variable is generated for d the BDD for b | c becomes part of each expression using d Generally suitable for more complex assignments

9 More on Case Statement Case statement is converted to if-then-else internally, so all the guards are evaluated sequentially. If none of the guards are true, an arbitrary valid value is returned.

10 Nondeterminism Completely unassigned variable can model unconstrained input. {val_1, …, val_n} is an expression taking on any of the given values nondeterministically. Nondeterministic choice to model an implementation that has not been refined yet In abstract models where a value of some state variable cannot be completely determined

11 Modules and Hierarchy Modules can be instantiated.
Each program has a module main Scoping Variables declared outside a module can be passed as parameters. Internal variables of a module can be used in enclosing modules(submodel.varname). Parameters are passed by reference. in variable declarations module_name.var_name to reference variable in a module

12 Modules and Hierarchy - Example
MODULE main VAR bit0 : counter_cell(1); bit1 : counter_cell(bit0.carry_out); bit2 : counter_cell(bit1.carry_out); SPEC AG AF bit2.carry_out MODULE counter_cell(carry_in) VAR value : boolean; ASSIGN init(value) := 0; next(value) := value + carry_in mod 2; DEFINE carry_out := value & carry_in;

13 Module Composition Synchronous composition
All assignments are executed in parallel and synchronously. A single step of the resulting model corresponds to a step in each of the components. Asynchronous composition A step of the composition is a step by exactly one process. Variables, not assigned in that process, are left unchanged.

14 Asynchronous Composition
MODULE main VAR gate1: process inverter(gate3.output); gate2: process inverter(gate1.output); gate3: process inverter(gate2.output); SPEC (AG AF gate1.output) SPEC (AG AF !gate1.output) MODULE inverter(input) VAR output: boolean; ASSIGN init(output) := 0; next(output) := !input;

15 Counterexamples -- specification AG AF (!gate1.output) is false
-- as demonstrated by the following execution state 2.1: gate1.output = 0 gate2.output = 0 gate3.output = 0 state 2.2: [executing process gate1] -- loop starts here -- state 2.3: gate1.output = 1 [stuttering] state 2.4:

16 Fairness Fairness constraint FAIRNESS ctl_formulae
Assumed to be true infinitely often Model checker only explores paths satisfying fairness constraint FAIRNESS running

17 Counter Revisited MODULE main VAR count_enable: boolean;
bit0 : counter_cell(count_enable); bit1 : counter_cell(bit0.carry_out); bit2 : counter_cell(bit1.carry_out); SPEC AG AF bit2.carry_out FAIRNESS count_enable

18 Modeling Shared Variables
MODULE zero(a) ASSIGN next(a) := 0; FAIRNESS running MODULE one(b) ASSIGN next(b) := 1; MODULE main VAR x: boolean; z: process zero(x); o: process one(x); SPEC AG AF (x = 0)

19 Implicit Modeling INIT boolean_expr
Initial states will be those satisfy boolean_expr. There is no next operator in boolean_expr. INVAR boolean_expr The set of states is restricted to those satisfy boolean_expr TRANS boolean_expr Restrict the transition relation.

20 Implicit Modeling Example
INVAR (!enable -> stutter) TRANS ((state = idle & next(state) = request) | (state = request & sema & turn = id & (next(state) = critical & next(sema) = 0) | (state = critical & next(state) = release))

21 TRANS Advantages Group assignments to different variables
Good for modeling guarded commands Disadvantages - easy to make mistakes Contradictory constraints Transition relation is empty, reachable states is 0. Transition relation is not total. Missing cases

22 Shared Data Example - main module
Two users assign pid to shared data in turn MODULE main VAR data: boolean; turn: boolean; user0: user(0, data, turn); user1: user(1, data, !turn); ASSIGN next(turn) := !turn; SPEC AG (AF data & AF (!data))

23 Shared Data Example - user module 1
Using ASSIGN and case statement won’t work (constraining sema all the time). MODULE user(pid, data, turn) ASSIGN next(data) := case turn: pid; 1: data; esac; line 3: multiple assignment: next(data)

24 Shared Data Example - user module 2
TRANS is useful for changing shared data in a synchronous system between modules. MODULE user(pid, data, turn) TRANS turn -> next(data) = id

25 Guarded Commands guard1 : action1 guard2 : action2 … otherwise: nop
TRANS (guard1 & action1) | (guard2 & action2) | (!guard1 & !gard2 & … & “nop”)

26 Guarded Commands Pitfall
TRANS guard1 -> action1 & guard2 -> action2 & (!guard1 & !guard2 & ... -> “nop”) For example true -> next(b) = 0 & true -> next(b) = 1 & ... This results in an empty transition relation

27 TRANS Guidelines Try to use ASSIGN instead
Write in a disjunction of conjunctions format Do not constrain current state variable, use INVAR for that Try to cover all cases Try to make guards disjoint

28 SMV Steps read_model: read the input smv file
flatten_hierarchy: instantiate modules and processes build_model: compile the model into BDDs(initial state, invar, transition relation) check_spec: checking specification bottom-up

29 Synchronous vs. Asynchronous
Conjunct transition relation from each module Asynchronous N (V, V’) = N0(V, V’) | .. | Nn-1(V,V’) where Ni (V,V’) = (vi’ = Fi(V)) & ji (vj’= vj) Figure out variables each process modify Fact - SMV does not support modules having TRANS to be a process, why?

30 Run SMV smv [options] inputfile -c cache-size -k key-table-size
-m mini-cache-size -v verbose -r prints out statistics about reachable state space -checktrans checks whether the transition relation is total

31 SMV Options –f computes set of reachable staes first
Model checking algorithms traverse only set of reachable states instead of complete state space. useful if reachable state space is a small fraction of total state space : useful to follow progress of verification

32 SMV Options: Variable ordering
Variable ordering is crucial for small BDD sizes and speed. Generally, variables which are related need to be close in the ordering. –i filename –o filename Input, output BDD variable ordering to given file. -reorder Invokes automatic variable reordering as soon as BDD size exceeds a certain limit

33 SMV Options: Transition relation
smv –cp part_limit Conjunctive partitioning. Transition relation not evaluated as a whole, instead individual next() assignments are grouped into partitions that do not exceed part_limit. This method generally uses less memory and can benefit from early quantification. Only for synchronous models

34 Mutual Exclusion -1 MODULE user(turn, id, other) VAR state: {n, t, c};
ASSIGN init(state) := n; next(state) := case state = n : {n, t}; state = t & other = n: c; state = t & other = t & turn = id: c; state = c: n; 1: state; esac; SPEC AG(state = t -> AF (state = c))

35 Mutual Exclusion -2 MODULE main VAR turn: {1, 2};
user1: user(turn, 1, user2.state); user2: user(turn, 2, user1.state); ASSIGN init(turn) := 1; next(turn) := case user1.state = n & user2.state = t: 2; user2.state = n & user1.state = t: 1; 1: turn; esac; SPEC AG !(user1.state = c & user2.state = c)

36 Mutual Exclusion: Counterexample
Specification AG (user1.state != c) is false state 1.1 turn = 1 user1.state = n user2.state = n state 1.2: user1.state = t state 1.3 user1.state = c

Download ppt "Lecture 9: SMV: An Introduction"

Similar presentations

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Introduction to SMV Part 2

Introduction to SMV Part 2
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Models of Concurrency Manna, Pnueli.

Models of Concurrency Manna, Pnueli.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.

1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
Introduction to Unix – CS 21 Lecture 11. Lecture Overview Shell Programming Variable Discussion Command line parameters Arithmetic Discussion Control.

Introduction to Unix – CS 21 Lecture 11. Lecture Overview Shell Programming Variable Discussion Command line parameters Arithmetic Discussion Control.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.

CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Similar presentations

Ads by Google