2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,

Slides:



Advertisements
Similar presentations
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Advertisements

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Conclusion Summary Research trends Resources.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Models of Concurrency Manna, Pnueli.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
UPPAAL Introduction Chien-Liang Chen.
Timed Automata.
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
© 2011 Carnegie Mellon University Introduction to SMV Part 2 Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others.
© 2011 Carnegie Mellon University Introduction to SMV Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others.
FMuOS: Formal verification of critical program parts NuSMV system Prepared by: Alan Jović, Ph.D. Acad. year: 2014/2015.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
Action Language: A Specification Language for Model Checking Reactive Systems Tevfik Bultan Department of Computer Science University of California, Santa.
SMV Examples Bug Catching in 2006 Fall Oct. 24, 2006.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
1 Using Cadence SMV to verify temporal properties of finite-state machines : Intro to Model Checking October 9, 2008.
ECE Synthesis & Verification - L211 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Verification Equivalence checking.
Review of the automata-theoretic approach to model-checking.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Optimizing Symbolic Model Checking for Constraint-Rich Systems Randal E. Bryant Bwolen Yang, Reid Simmons, David R. O’Hallaron Carnegie Mellon University.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Model Checking and Related Techniques
Introduction to Software Testing Chapter 9.4 Model-Based Grammars Paul Ammann & Jeff Offutt
1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt.
ECE 2372 Modern Digital System Design
Model Checking Lecture 4 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
CS6133 Software Specification and Verification
Introduction to Formal Verification using Rulebase April 18, 2001 Rebecca Gott eServer I/O Development Hardware Verification
Algorithmic Software Verification V &VI. Binary decision diagrams.
CS5270 Lecture 41 Timed Automata I CS 5270 Lecture 4.
2/19/20031 Introduction to SMV. 2/19/20032 Useful Links CMU Model checking homepage SMV windows version
Verification & Validation By: Amir Masoud Gharehbaghi
Predicate Abstraction. Abstract state space exploration Method: (1) start in the abstract initial state (2) use to compute reachable states (invariants)
Hwajung Lee. Why do we need these? Don’t we already know a lot about programming? Well, you need to capture the notions of atomicity, non-determinism,
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
ALLOY: A Formal Methods Tool Glenn Gordon Indiana University of Pennsylvania COSC 481- Formal Methods Dr. W. Oblitey 26 April 2005.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CS5270 Lecture 41 Timed Automata I CS 5270 Lecture 4.
The PLA Model: On the Combination of Product-Line Analyses 강태준.
Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,
Automatic Test Generation
Basic concepts of Model Checking
What is the SMV (Symbolic Model Verifier) System ?
Introduction Introduction to VHDL Entities Signals Data & Scalar Types
Automatic Verification of Industrial Designs
Introduction to SMV 2/19/2003.
Lecture 9: SMV: An Introduction
Presentation transcript:

2/18/20051 Introduction to SMV

2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem, Finite-state Systems described in a specialized language Specifications given as CTL formulas Internal representation using OBDDs Automatically verifies specification or produces a counterexample

2/18/20053 Overview of SMV SMV Input Language Finite State Kripke Structure Specification – CTL Formula OBDD based Symbolic Model Checking Yes No CounterExample Backend

2/18/20054 Language Characteristics Allows description of completely synchronous to asynchronous systems, detailed to abstract systems Modularized and hierarchical descriptions Finite data types: Boolean and enumerated

2/18/20055 Language Characteristics (cont..) Parallel-assignment syntax Non-determinism

2/18/20056 A Sample SMV Program MODULE main VAR request: boolean; state: {ready, busy}; ASSIGN init(state) := ready; next(state) := case state=ready & request: busy; 1: {ready, busy}; esac; SPEC AG(request -> AF (state = busy))

2/18/20057 SMV Syntax - Expressions Expr :: atom ;; symbolic constant | number ;; numeric constant | id ;; variable identifier | “!” expr ;; logical not | expr1 expr2 | “next” “(“ id “)” ;; next value | case_expr | set_expr

2/18/20058 The Case Expression Case_expr :: “case” expr_a1 “:” expr_b2 “;” … expr_an “:” expr_bn “;” “esac” Guards are evaluated sequentially. The first one that is true determines the resulting value If none of the guards are true, result is numeric value 1

2/18/20059 State Variables Decl :: “VAR” atom1 “:” type1 “;” atom2 “:” type2 “;” …  State is an assignment of values to a set of state variables  Type of a variable – boolean, scalar, user defined module, or array.

2/18/ ASSIGN declaration Decl :: “ASSIGN” dest1 “:=“ expr1 “;” dest2 “:=“ expr2 “;” … Dest :: atom | “init” “(“ atom “)” | “next” “(“ atom “)”

2/18/ Variable Assignments Assignment to initial state: init(value) := 0; Assignment to next state (transition relation) next(value) := value + carry_in mod 2; Assignment to current state (invariant) carry_out := value & carry_in; Either init-next or invar should be used, but not both SMV is a parallel assignment language

2/18/ Circular definitions … are not allowed! This is illegal: a := next(b); next(b) := c; c := a; This is o.k. init(a) := 0; next(a) := !b; init(b) := 1; next(b) := !a;

2/18/ Nondeterminism Completely unassigned variable can model unconstrained input. {val_1, …, val_n} is an expression taking on any of the given values nondeterministically. Nondeterministic choice can be used to: Model an implementation that has not been refined yet Abstract behavior

2/18/ ASSIGN and DEFINE VAR a: boolean; ASSIGN a := b | c; declares a new state variable a becomes part of invariant relation DEFINE d:= b | c; is effectively a macro definition, each occurrence of d is replaced by b | c no extra BDD variable is generated for d the BDD for b | c becomes part of each expression using d

2/18/ SPEC declaration Decl :: “SPEC” ctlform Ctlform :: expr ;; bool expression | “!” ctlform | ctlform1 ctlform2 | “E” pathform | “A” pathform Pathform :: “X” ctlform | “F” ctlform | “G” ctlform | ctlform1 “U” ctlform2

2/18/ Modules and Hierarchy Modules can be instantiated many times, each instantiation creates a copy of the local variables Each program has a module main Scoping Variables declared outside a module can be passed as parameters Parameters are passed by reference.

2/18/ Pass by reference DEFINE a := 0; VAR b : bar(a); … MODULE bar(x) DEFINE a := 1; y := x;

2/18/ Pass by reference … VAR a : boolean; b : foo(a); … MODULE foo(x) ASSIGN x:=1;

2/18/ MODULE main VAR bit0 : counter_cell(1); bit1 : counter_cell(bit0.carry_out); bit2 : counter_cell(bit1.carry_out); SPECAG AF bit2.carry_out MODULE counter_cell(carry_in) VARvalue : boolean; ASSIGN init(value) := 0; next(value) := value + carry_in mod 2; DEFINE carry_out := value & carry_in;

2/18/ Module Composition Synchronous composition All assignments are executed in parallel and synchronously. A single step of the resulting model corresponds to a step in each of the components. Asynchronous composition A step of the composition is a step by exactly one process. Variables, not assigned in that process, are left unchanged.

2/18/ Asynchronous Composition MODULE main VAR gate1: process inverter(gate3.output); gate2: process inverter(gate1.output); gate3: process inverter(gate2.output); SPEC (AG AF gate1.output) & (AG AF !gate1.output) MODULE inverter(input) VAR output: boolean; ASSIGN init(output) := 0; next(output) := !input;

2/18/ Fairness FAIRNESS ctl_formulae Assumed to be true infinitely often Model checker only explores paths satisfying fairness constraint Each fairness constraint must be true infinitely often If there are no fair paths All existential formulas are false All universal formulas are true FAIRNESS running

2/18/ With Fairness.. MODULE main VAR gate1: process inverter(gate3.output); gate2: process inverter(gate1.output); gate3: process inverter(gate2.output); SPEC (AG AF gate1.output) & (AG AF !gate1.output) MODULE inverter(input) VAR output: boolean; ASSIGN init(output) := 0; next(output) := !input; FAIRNESS running

2/18/ Counter revisited MODULE main VAR count_enable : boolean; bit0 : counter_cell(count_enable); bit1 : counter_cell(bit0.carr_out); bit2 : counter_cell(bit1.carry_out); SPEC AG AF bit2.carry_out FAIRNESS count_enable

2/18/ Synchronous vs Asynchronous In Asynchronous process, need not combine transition relation of each process Complexity of representing set of states reachable in n steps higher in asynchronous processes occassionally due to higher number of interleavings

2/18/ Implicit Modelling TRANS - boolean valued expr restricting transition relation of system INIT - boolean valued expression giving initial states INVAR - boolean valued expression restricting set of all states of model

2/18/ Implicit Modelling Example MODULE main VAR gate1 : inverter(gate3.output); gate2 : inverter(gate1.output); gate3 : inverter(gate2.output); SPEC (AG AF gate1.out) & (AG AF !gate1.out) MODULE inverter(input) VAR Output : boolean; INIT output = 0; TRANS next(output) = !input | next(output) = output

2/18/ TRANS Advantages Group assignments to different variables Good for modelling guarded commands Disadvantages Logical absurdities can lead to unimplementable descriptions

2/18/ Shared Data Example Two Users assign pid to shared data in turn MODULE main VAR data : boolean; turn : boolean; user0 : user(0, data, turn); user1 : user(1, data, turn); ASSIGN next(turn) := !turn; SPEC AG (AF data & AF (!data))

2/18/ Shared data example (cont..) Using ASSIGN and CASE statement won’t work(constraining sema all the time) MODULE user(pid, data, turn) ASSIGN next(data) := case turn: pid; 1 : data; esac; Line 3: multiple assignment: next(data)

2/18/ Using TRANS TRANS useful for changing shared data in synchronous system between modules. MODULE user(pid, turn, data) TRANS turn -> next(data) = pid

2/18/ Guarded Commands Guard1 : action1 Guard2 : action2.. Otherwise nop TRANS (guard1 & action1)| (guard2 & action2)| … (!guard1 & !guard2 & … & “nop”)

2/18/ TRANS Pitfall True -> next(b) = 0 & True -> next(b) = 1 & … Results in an empty transition relation

2/18/ TRANS Guidelines Try using ASSIGN instead Write in a disjunction of conjunction format Try covering all cases Try make guards disjoint

2/18/ SMV Steps Read_Model : read model from input smv file Flatten_hierarchy : instantiate modules and processes Build_model : compile the model into BDDs (initial state, invar, transition relation) Check_spec : checking specification bottom up

2/18/ Run SMV smv [options] inputfile -c cache-size for BDD operations -k key-table-size for BDD nodes -v verbose -int interactive mode -r prints out statistics about reachable state space

2/18/ SMV Options –f computes set of reachable states first Model checking algorithm traverses only the set of reachable states instead of complete state space. useful if reachable state space is a small fraction of total state space

2/18/ SMV Options: Reordering vars Variable reordering is crucial for small BDD sizes and speed. Generally, variables which are related need to be close in the ordering. –i filename –o filename Input, output BDD variable ordering to given file. -reorder Invokes automatic variable reordering

2/18/ SMV Options: Transition relation smv -cp part_limit  Conjunctive Partitioning: Transition relation not evaluated as a whole, instead individual next() assignments are grouped into partitions that do not exceed part_limit  Uses less memory and benefits from early quantification

2/18/ SMV options: -inc  Perform incremental evaluation of the transition relation  At each step in forward search, transition relation restriced to reached state set  Cuts down on size of transition relation with overhead of extra computation

2/18/ Example: Client & Server MODULE client (ack) VAR state : {idle, requesting}; req : boolean; ASSIGN init(state) := idle; next(state) := case state=idle : {idle, requesting}; state=requesting & ack : {idle, requesting}; 1 : state; esac; req := (state=requesting);

2/18/ MODULE server (req) VAR state : {idle, pending, acking}; ack : boolean; ASSIGN next(state) := case state=idle & req : pending; state=pending : {pending, acking}; state=acking & req : pending; state=acking & !req : idle; 1 : state; esac; ack := (state = acking);

2/18/ Is the specification true? MODULE main VAR c : client(s.ack); s : server(c.req); SPEC AG (c.req -> AF s.ack) Need fairness constraint: Suggestion: FAIRNESS s.ack Why is this bad? Solution: FAIRNESS (c.req -> s.ack)

2/18/ NuSMV Specifications expressible in CTL, LTL and Real time CTL logics Provides both BDD and SAT based model checking. Uses a number of heuristics for achieving efficiency and control state explosion Higher number of features in interactive mode

2/18/ Cadence SMV Provides “compositional techniques” to verify large complex systems by decomposition to smaller problems. Provides a variety of techniques for refinement verification, symmetry reductions, uninterpreted functions, data type reductions.

2/18/ Useful Links SMV sources, binaries and manuals SMV man page SMV manual Tutorial on verification techniques using Cadence SMV SMV Input Language documentation

2/18/ Downloads SMV NuSMV Cadence SMV mv

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.