Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt.

Published byPatricia Watkins Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt."— Presentation transcript:

1 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt University b.eames@vanderbilt.edu mcmillan@cadence.com Presented in the CS 367 class by Aditya

2 2 2 SMV Tool l Can be downloaded from http://www-cad.eecs.berkeley.edu/~kenmcmil/smv/dld2.html

3 3 3 Outline l Quick overview of SMV l Model checking –Temporal logic –Model checking algorithms –Expressiveness and complexity l Symbolic model checking –The “state explosion” problem –Binary Decision Diagrams –Computing fixed points with BDD’s –Application

4 4 4 SMV: Symbolic Model Verifier l Capture system behavior as combinatorial and sequential logic: finite state machines. l Capture system requirements as statements in temporal logic l SMV applies the requirement specifications to the state machine model –Attempt to prove that system meets requirements –If system fails, attempt to show counterexample

5 5 5 How SMV Works l Convert system model (the FSM) to OBDD representation l Convert CTL specifications into operations which can be applied to OBDDs l Traverse the state space, applying verification operations until achieving a “fixed point”: stable system l Report the results of the traversal, either requirements met or not.

6 6 6 Example MODULE main VAR request : boolean state : {ready, busy}; ASSIGN init(state) := ready; next(state) := case state = ready & request : busy; 1 : {ready, busy}; esac; SPEC AG(request -> AF state = busy)

7 7 7 SMV’s supported CTL operators ! not & and | or ->implies logical equivalence “E” existential path quantifier “A” universal path quantifier “X”next time “F” eventually “G” globally “U” until

8 8 8 Propositional Linear Temporal Logic l Express properties of “Reactive Systems” –interactive, nonterminating l For PLTL, a model is an infinite state sequence l Temporal operators –“Globally”: G p at t iff p for all t’  t. ppppppppppp... G p...

9 9 9 Temporal operators... –“Future”: F p at t iff p for some t’  t. pppppp F p... –“Until”: p U q at t iff – q for some t’  t and – p in the range [ t, t’ ) pppppp p U q... pppq –“Next-time”: X p at t iff p at t+1

10 10 Examples l Liveness: “if input, then eventually output” G (input  F output) l Strong fairness: “infinitely send implies infinitely recv.” GF send  GF recv l Weak until: “no output before input”  output W input atomic props infinitely often p W q  p U q  G p

11 11 Safety v. Liveness l Safety –Refutable by finite run l Liveness –Refutable only by infinite run –Every finite run extensible to satisfying run

12 12 PLTL semantics l Given an infinite sequence – if  is true in state s i of . –  if  is true in state s 0 of . –  if  is valid. l A formula is an atomic proposition, or... true, p  q,  p, p U q, X p

13 13 PLTL semantics... l Definition of satisfaction iff Derived operators...

14 14 Model Checking (Clarke/Emerson, Queille/Sifakis) MC G(p -> F q) yes no p q p q temporal formula finite-state model algorithm counterexample Model must now represent all behaviors

15 15 Kripke models l A Kripke model (S,R,L) consists of –set of states S –set of transitions R  S  S –labeling L  S  AP l Kripke models from programs pp p repeat p := true; p := false; end

16 16 Mutual exclusion example N1,N2 turn=0 T1,N2 turn=1 T1,T2 turn=1 C1,N2 turn=1 C1,T2 turn=1 N1,T2 turn=2 T1,T2 turn=2 N1,C2 turn=2 T1,C2 turn=2 N = noncritical, T = trying, C = critical

17 17 PLTL on Kripke models l A path in model M = (S,R,L) is a sequence such that (s i,s i +1)  R. F p p p p s0s0 s1s1 s2s2 s 3...

18 18 Branching time l Model of time is a tree, not a sequence l Path quantifiers AF p p p p

19 19 Computation Tree Logic l Every operator F, G, X, U preceded by A or E l Universal modalities... pp p... AG p pppp p pp AF p

20 20 CTL, cont... l Existential modalities p p... EG p p p EF p

21 21 CTL, cont l Other modalities AX p, EX p, A(p U q), E(p U q) l Some dualities... l Examples: mutual exclusion specs... AG  (C 1  C 2 )mutual exclusion AG (T 1  AF C 1 )liveness AG (N 1  EX T 1 )non-blocking

22 22 Symbolic model checking l State explosion problem –State graph exponential in program size l Symbolic model checking approach –Boolean formulas represent sets and relations –Use fixed point characterizations of CTL operators –Model checking without building state graph Sometimes can handle much larger sate space

23 23 Binary Decision Diagrams (Bryant) l Ordered decision tree for f = ab + cd 0001000100011111 d ddddddd c ccc 01 0 101 0 1010101 b b a

24 24 OBDD reduction l Reduced (OBDD) form: 01 d c 0 1 0 1 0 1 b a 0 1 Key idea: combine equivalent sub-cases

25 25 OBDD properties l Canonical form (for fixed order) –direct comparison l Efficient apply algorithm –build BDD’s for large circuits f g O(|f| |g|) fg l Variable order strongly affects size

26 26 Boolean quantification l If v is a boolean variable, then  v.f = f | v =0 V f | v =1 l Multivariate quantification  w 1,w 2,…,w n ). f l Complexity on BDD representation –worst case exponential –heuristically efficient Example:  b,c). (ab  cd) = a  d

27 27 Characterizing sets l Let M = (S,R,L) be a Kripke model l Let S be the set of boolean vectors (v 1,v 2,…,v n )  {0,1} n Represent any P  S by its characteristic function  P P = {(v 1,v 2,…,v n ) :  P } l Set operations –    = false  S = true –  P  Q  = P V Q  P  Q = P  Q –  S  \ P  =  P

28 28 Characterizing relations l Transition relation R is a set of state pairs… R = {((v 1,v 2,…,v n ), (v’ 1,v’ 2,…,v’ n )) :  R } l Examples –A synchronous sequential circuit v1v1 v0v0  R = (v’ 0 =  v 0 )  (v’ 1 = v 0  v 1 )

29 29 Transition relations, cont... –An asynchronous circuit s r q q –Interleaving model –Simultaneous model

30 30 Forward and reverse image l Forward image P R Image(P,R)

31 31 Images, cont... l Reverse image P R Image -1 (P,R) = EX P

32 32 Symbolic CTL model checking l Equate a formula f with the set of states satisfying it… l Compute BDD’s for characteristic functions… –  p, p  q, p  q(use BDD ops) –EX p= Image -1 (p,R) –AX p=  EX  p l Remaining operators have fixed-point characterization... In fact, this is the least fixed point...

33 33 Fixed points of monotonic functions Let  be a function S  S Say  is monotonic when Fixed point of  is y such that If  monotonic, then it has –least fixed point  y.  (y) –greatest fixed point y.  (y)

34 34 Iteratively computing fixed points l Suppose S is finite –The least fixed point  y.  (y) is the limit of –The greatest fixed point y.  (y) is the limit of Note, since S is finite, convergence is finite

35 35 Example: EF p l EF p is characterized by l Thus, it is the limit of the increasing series... p p  EX p p  EX(p  EX p)......which we can compute entirely using BDD operations

36 36 Example: EG p l EG p is characterized by l Thus, it is the limit of the decreasing series......which we can compute entirely using BDD operations p  EX p p p  EX(p  EX p)...

37 37 Remaining operators l Allows CTL model checking with only BDD ops –Avoid building state graph –(Sometimes) avoid state explosion problem Now you can go home and build your own symbolic model checker...

38 38 Why does it work?... Many partial states equivalent......implies many subfunctions equivalent... OBDD

39 39 When doesn’t it work? l Protocols that pass pointers l Linked lists l Anytime one part of the system “knows” a large amount of information about another part

40 40 Summary l Model checking –Automatic verification (or falsification) of finite state systems –Linear v. branching time logics l State explosion problem –Binary Decision Diagrams –Heuristically efficient boolean operations –Image calculations –Fixed point characterization of CTL –Model checking without building state graph l Applications –Find subtle errors in complex protocols

Download ppt "1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Introduction to Model Checking

Introduction to Model Checking
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification

Similar presentations

Ads by Google