Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Introduction to SMV 2/18/2005 1

advertisement 
Introduction to SMV
2/18/2005
1
Symbolic Model Verifier





Ken McMillan, Symbolic Model
Checking: An Approach to the State
Explosion Problem, 1993.
Finite-state Systems described in a
specialized language
Specifications given as CTL formulas
Internal representation using OBDDs
Automatically verifies specification or
produces a counterexample
2/18/2005
2
Overview of SMV
SMV Input
Language
Finite
State
Kripke
Structure
Backend
OBDD based
Symbolic Model
Checking
Yes
Specification –
CTL Formula
No
CounterExample
2/18/2005
3
Language Characteristics

Allows description of completely synchronous
to asynchronous systems, detailed to
abstract systems

Modularized and hierarchical descriptions

Finite data types: Boolean and enumerated
2/18/2005
4
Language Characteristics (cont..)

Parallel-assignment syntax

Non-determinism
2/18/2005
5
A Sample SMV Program
MODULE main
VAR
request: boolean;
state: {ready, busy};
ASSIGN
init(state) := ready;
next(state) :=
case
state=ready & request: busy;
1: {ready, busy};
esac;
SPEC AG(request -> AF (state = busy))
2/18/2005
6
SMV Syntax - Expressions
Expr ::
atom
;; symbolic constant
| number
;; numeric constant
| id
;; variable identifier
| “!” expr
;; logical not
| expr1 <op> expr2
| “next” “(“ id “)”
;; next value
| case_expr
| set_expr
2/18/2005
7
The Case Expression
Case_expr :: “case”
expr_a1 “:” expr_b2 “;”
…
expr_an “:” expr_bn “;”
“esac”
 Guards are evaluated sequentially.
 The first one that is true determines the
resulting value
 If none of the guards are true, result is
numeric value 1
2/18/2005
8
State Variables
Decl :: “VAR”
atom1 “:” type1 “;”
atom2 “:” type2 “;”
…
 State is an assignment of values to a
set of state variables
 Type of a variable – boolean, scalar,
user defined module, or array.
2/18/2005
9
ASSIGN declaration
Decl :: “ASSIGN”
dest1 “:=“ expr1 “;”
dest2 “:=“ expr2 “;”
…
Dest :: atom
| “init” “(“ atom “)”
| “next” “(“ atom “)”
2/18/2005
10
Variable Assignments





Assignment to initial state:
init(value) := 0;
Assignment to next state (transition relation)
next(value)
:= value + carry_in mod 2;
Assignment to current state (invariant)
carry_out := value & carry_in;
Either init-next or invar should be used, but
not both
SMV is a parallel assignment language
2/18/2005
11
Circular definitions


… are not allowed!
This is illegal:


a := next(b);
next(b) := c;
c := a;
This is o.k.

init(a) := 0;
next(a) := !b;
init(b) := 1;
next(b) := !a;
2/18/2005
12
Nondeterminism



Completely unassigned variable can model
unconstrained input.
{val_1, …, val_n} is an expression taking on any
of the given values nondeterministically.
Nondeterministic choice can be used to:


Model an implementation that has not been
refined yet
Abstract behavior
2/18/2005
13
ASSIGN and DEFINE


VAR a: boolean;
ASSIGN a := b | c;
 declares a new state variable a
 becomes part of invariant relation
DEFINE d:= b | c;



is effectively a macro definition, each occurrence
of d is replaced by b | c
no extra BDD variable is generated for d
the BDD for b | c becomes part of each
expression using d
2/18/2005
14
SPEC declaration



Decl :: “SPEC” ctlform
Ctlform :: expr
;; bool expression
| “!” ctlform
| ctlform1 <op> ctlform2
| “E” pathform
| “A” pathform
Pathform :: “X” ctlform
| “F” ctlform
| “G” ctlform
| ctlform1 “U” ctlform2
2/18/2005
15
Modules and Hierarchy

Modules can be instantiated many times, each
instantiation creates a copy of the local
variables

Each program has a module main

Scoping


Variables declared outside a module can be
passed as parameters
Parameters are passed by reference.
2/18/2005
16
Pass by reference
DEFINE
a := 0;
VAR
b : bar(a);
…
MODULE bar(x)
DEFINE
a := 1;
y := x;
2/18/2005
17
Pass by reference
…
VAR
a : boolean;
b : foo(a);
…
MODULE foo(x)
ASSIGN
x:=1;
2/18/2005
18
MODULE main
VAR
bit0 : counter_cell(1);
bit1 : counter_cell(bit0.carry_out);
bit2 : counter_cell(bit1.carry_out);
SPEC AG AF bit2.carry_out
MODULE counter_cell(carry_in)
VAR value : boolean;
ASSIGN
init(value) := 0;
next(value) := value + carry_in mod 2;
DEFINE carry_out := value & carry_in;
2/18/2005
19
Module Composition

Synchronous composition



All assignments are executed in parallel and
synchronously.
A single step of the resulting model corresponds
to a step in each of the components.
Asynchronous composition


A step of the composition is a step by exactly one
process.
Variables, not assigned in that process, are left
unchanged.
2/18/2005
20
Asynchronous Composition
MODULE main
VAR
gate1: process inverter(gate3.output);
gate2: process inverter(gate1.output);
gate3: process inverter(gate2.output);
SPEC
(AG AF gate1.output) & (AG AF !gate1.output)
MODULE inverter(input)
VAR output: boolean;
ASSIGN
init(output) := 0;
next(output) := !input;
2/18/2005
21
Fairness

FAIRNESS ctl_formulae




If there are no fair paths



Assumed to be true infinitely often
Model checker only explores paths satisfying fairness
constraint
Each fairness constraint must be true infinitely often
All existential formulas are false
All universal formulas are true
FAIRNESS running
2/18/2005
22
With Fairness..
MODULE main
VAR
gate1: process inverter(gate3.output);
gate2: process inverter(gate1.output);
gate3: process inverter(gate2.output);
SPEC
(AG AF gate1.output) & (AG AF !gate1.output)
MODULE inverter(input)
VAR
output: boolean;
ASSIGN
init(output) := 0;
next(output) := !input;
FAIRNESS
running
2/18/2005
23
Counter revisited
MODULE main
VAR
count_enable : boolean;
bit0 : counter_cell(count_enable);
bit1 : counter_cell(bit0.carr_out);
bit2 : counter_cell(bit1.carry_out);
SPEC AG AF bit2.carry_out
FAIRNESS count_enable
2/18/2005
24
Synchronous vs Asynchronous
•
•
In Asynchronous process, need not
combine transition relation of each
process
Complexity of representing set of
states reachable in n steps higher in
asynchronous processes occassionally
due to higher number of interleavings
2/18/2005
25
Implicit Modelling



TRANS - boolean valued expr
restricting transition relation of
system
INIT - boolean valued expression
giving initial states
INVAR - boolean valued expression
restricting set of all states of model
2/18/2005
26
Implicit Modelling Example
MODULE main
VAR
gate1 : inverter(gate3.output);
gate2 : inverter(gate1.output);
gate3 : inverter(gate2.output);
SPEC
(AG AF gate1.out) & (AG AF !gate1.out)
MODULE inverter(input)
VAR
Output : boolean;
INIT
output = 0;
TRANS
next(output) = !input | next(output) = output
2/18/2005
27
TRANS
Advantages
• Group assignments to different variables
• Good for modelling guarded commands
Disadvantages
• Logical absurdities can lead to
unimplementable descriptions
2/18/2005
28
Shared Data Example
Two Users assign pid to shared data in turn
MODULE main
VAR
data : boolean;
turn : boolean;
user0 : user(0, data, turn);
user1 : user(1, data, turn);
ASSIGN
next(turn) := !turn;
SPEC
AG (AF data & AF (!data))
2/18/2005
29
Shared data example (cont..)
Using ASSIGN and CASE statement won’t
work(constraining sema all the time)
MODULE user(pid, data, turn)
ASSIGN
next(data) := case
turn: pid;
1 : data;
esac;
Line 3: multiple assignment: next(data)
2/18/2005
30
Using TRANS
TRANS useful for changing shared data
in synchronous system between
modules.
MODULE user(pid, turn, data)
TRANS
turn -> next(data) = pid
2/18/2005
31
Guarded Commands
Guard1 : action1
Guard2 : action2
..
Otherwise nop
TRANS
(guard1 & action1)|
(guard2 & action2)|
…
(!guard1 & !guard2 & … & “nop”)
2/18/2005
32
TRANS Pitfall
True -> next(b) = 0 &
True -> next(b) = 1 & …
Results in an empty transition relation
2/18/2005
33
TRANS Guidelines




Try using ASSIGN instead
Write in a disjunction of conjunction
format
Try covering all cases
Try make guards disjoint
2/18/2005
34
SMV Steps




Read_Model : read model from input smv file
Flatten_hierarchy : instantiate modules and
processes
Build_model : compile the model into BDDs
(initial state, invar, transition relation)
Check_spec : checking specification bottom
up
2/18/2005
35
Run SMV

smv [options] inputfile





-c cache-size for BDD operations
-k key-table-size for BDD nodes
-v verbose
-int interactive mode
-r

2/18/2005
prints out statistics about reachable state
space
36
SMV Options

–f



computes set of reachable states first
Model checking algorithm traverses only
the set of reachable states instead of
complete state space.
useful if reachable state space is a small
fraction of total state space
2/18/2005
37
SMV Options: Reordering vars



Variable reordering is crucial for small BDD sizes and
speed.
Generally, variables which are related need to be
close in the ordering.
–i filename –o filename


Input, output BDD variable ordering to given file.
-reorder

Invokes automatic variable reordering
2/18/2005
38
SMV Options: Transition relation
smv -cp part_limit


Conjunctive Partitioning: Transition relation
not evaluated as a whole, instead individual
next() assignments are grouped into
partitions that do not exceed part_limit
Uses less memory and benefits from early
quantification
2/18/2005
39
SMV options: -inc



Perform incremental evaluation of the
transition relation
At each step in forward search,
transition relation restriced to
reached state set
Cuts down on size of transition
relation with overhead of extra
computation
2/18/2005
40
Example: Client & Server
MODULE client (ack)
VAR
state : {idle, requesting};
req : boolean;
ASSIGN
init(state) := idle;
next(state) :=
case
state=idle : {idle, requesting};
state=requesting & ack : {idle, requesting};
1 : state;
esac;
req := (state=requesting);
2/18/2005
41
MODULE server (req)
VAR
state : {idle, pending, acking};
ack : boolean;
ASSIGN
next(state) :=
case
state=idle & req : pending;
state=pending : {pending, acking};
state=acking & req : pending;
state=acking & !req : idle;
1 : state;
esac;
ack := (state = acking);
2/18/2005
42
Is the specification true?
MODULE main
VAR
c : client(s.ack);
s : server(c.req);
SPEC AG (c.req -> AF s.ack)

Need fairness constraint:



Suggestion:
FAIRNESS s.ack
Why is this bad?
Solution:
FAIRNESS (c.req -> s.ack)
2/18/2005
43
NuSMV




Specifications expressible in CTL, LTL and
Real time CTL logics
Provides both BDD and SAT based model
checking.
Uses a number of heuristics for achieving
efficiency and control state explosion
Higher number of features in interactive
mode
2/18/2005
44
Cadence SMV


Provides “compositional techniques” to
verify large complex systems by
decomposition to smaller problems.
Provides a variety of techniques for
refinement verification, symmetry
reductions, uninterpreted functions,
data type reductions.
2/18/2005
45
Useful Links


SMV sources, binaries and manuals
http://www.cs.cmu.edu/~modelcheck/smv.html
SMV man page
http://www.cs.cmu.edu/~dongw/smv.txt

SMV manual

Tutorial on verification techniques using Cadence SMV

SMV Input Language documentation
http://www.cs.cmu.edu/~modelcheck/smv/smvmanual.ps
http://www-cad.eecs.berkeley.edu/~kenmcmil/tutorial.ps
http://www-cad.eecs.berkeley.edu/~kenmcmil/psdoc.html
2/18/2005
46
Downloads
SMV
www.cs.cmu.edu/~modelcheck/smv.html
 NuSMV
http://nusmv.irst.itc.it/
 Cadence SMV
http://wwwcad.eecs.berkeley.edu/~kenmcmil/s
mv

2/18/2005
47
Related documents
Name & ID:_________________________________________________________ Quiz Q1 CS 100 – Summer 1999
Name & ID:_________________________________________________________ Quiz Q1 CS 100 – Summer 1999
A property of the mean Let a1, ..., an be arbitrary real numbers and
A property of the mean Let a1, ..., an be arbitrary real numbers and
Partial Solutions to Homework 5 Mathematics 5010–1, Summer 2009
Partial Solutions to Homework 5 Mathematics 5010–1, Summer 2009
Random Variables and Random Sampling-Distribution of μ σ
Random Variables and Random Sampling-Distribution of μ σ
Computation With Variables
Computation With Variables
CS 1316 Sample Vocabulary Words
CS 1316 Sample Vocabulary Words
Download
advertisement