SMV TUTORIAL – Part I Eriko Nurvitadhi Note: content of these slides are from “Getting started with SMV” by K. L. McMillan, 1999. Refer to this document.

Slides:



Advertisements
Similar presentations
Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
Advertisements

Part II Concepts.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.
Mutual Exclusion – SW & HW By Oded Regev. Outline: Short review on the Bakery algorithm Short review on the Bakery algorithm Black & White Algorithm Black.
Introduction to SMV Part 2
Algorithmic Software Verification VII. Computation tree logic and bisimulations.
Deadlock and Starvation
Concurrency: Deadlock and Starvation Chapter 6. Deadlock Permanent blocking of a set of processes that either compete for system resources or communicate.
1 Lecture 6: Directory Protocols Topics: directory-based cache coherence implementations (wrap-up of SGI Origin and Sequent NUMA case study)
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Mutual Exclusion By Shiran Mizrahi. Critical Section class Counter { private int value = 1; //counter starts at one public Counter(int c) { //constructor.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.
Multiprocessor Synchronization Algorithms ( ) Lecturer: Danny Hendler The Mutual Exclusion problem.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
FIT FIT1002 Computer Programming Unit 19 Testing and Debugging.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
Chapter 3 The Critical Section Problem
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
Ceng Operating Systems Chapter 2.4 : Deadlocks Process concept  Process scheduling  Interprocess communication  Deadlocks Threads.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania, Fall 2003 Lecture Note: Deadlocks.
Deadlocks Vivek Pai / Kai Li Princeton University.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
1 Using Cadence SMV to verify temporal properties of finite-state machines : Intro to Model Checking October 9, 2008.
Contemporary Logic Design Finite State Machine Design © R.H. Katz Transparency No Chapter #8: Finite State Machine Design 8.5 Finite State Machine.
Review of the automata-theoretic approach to model-checking.
Traffic Light Controller Examples in SMV Himanshu Jain Bug catching (Fall 2007)
Concurrency: Deadlock and Starvation Chapter 6. Goal and approach Deadlock and starvation Underlying principles Solutions? –Prevention –Detection –Avoidance.
Programmable Logic Controllers
1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt.
CS6133 Software Specification and Verification
CIS 234: LOOPS Adapted from materials by Dr. Donald Bell, 2000 (updated April 2007)
Sept COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 15 More Advanced Program Properties: Temporal logic and jSpin John Gurd,
Mr. Dave Clausen1 La Cañada High School Chapter 6: Repetition Statements.
Introduction to Formal Verification using Rulebase April 18, 2001 Rebecca Gott eServer I/O Development Hardware Verification
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Mutual Exclusion.
2/19/20031 Introduction to SMV. 2/19/20032 Useful Links CMU Model checking homepage SMV windows version
A brief history of model checking Ken McMillan Cadence Berkeley Labs
1 Example: traffic light controller Guarantee no collisions Guarantee eventual service E S N.
Saeed Ghanbartehrani Summer 2015 Lecture Notes #5: Programming Structures IE 212: Computational Methods for Industrial Engineering.
CS101 Computer Programming I Chapter 4 Extra Examples.
Design of Bio-Medical Virtual Instrumentation Tutorial 2.
Hwajung Lee. The State-transition model The set of global states = s 0 x s 1 x … x s m {s k is the set of local states of process k} S0  S1  S2  Each.
Operating Systems CMPSC 473 Mutual Exclusion Lecture 11: October 5, 2010 Instructor: Bhuvan Urgaonkar.
Verification & Validation By: Amir Masoud Gharehbaghi
 In computer programming, a loop is a sequence of instruction s that is continually repeated until a certain condition is reached.  PHP Loops :  In.
Monitors and Blocking Synchronization Dalia Cohn Alperovich Based on “The Art of Multiprocessor Programming” by Herlihy & Shavit, chapter 8.
Automated Composition and Analysis. Web Services: Design and Analysis2 Automated Composition Given a specification of the composite service, find individual.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
From Natural Language to LTL: Difficulties Capturing Natural Language Specification in Formal Languages for Automatic Analysis Elsa L Gunter NJIT.
Presented by: Belgi Amir Seminar in Distributed Algorithms Designing correct concurrent algorithms Spring 2013.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Hwajung Lee. Mutual Exclusion CS p0 p1 p2 p3 Some applications are:  Resource sharing  Avoiding concurrent update on shared data  Controlling the.
11 Making Decisions in a Program Session 2.3. Session Overview  Introduce the idea of an algorithm  Show how a program can make logical decisions based.
Background on the need for Synchronization
CPE555A: Real-Time Embedded Systems
Chapter 6 : Deadlocks What is a Deadlock?
Microsoft Visual Basic 2005 BASICS
Mutual Exclusion CS p0 CS p1 p2 CS CS p3.
CSCI1600: Embedded and Real Time Software
Introduction to SMV 2/19/2003.
COMP60621 Designing for Parallelism
Presentation transcript:

SMV TUTORIAL – Part I Eriko Nurvitadhi Note: content of these slides are from “Getting started with SMV” by K. L. McMillan, Refer to this document for more details.

Agenda  Part I – SMV Basics (this talk)  About SMV  Example 1: a simple 2-way arbiter Creating an SMV Description Correctness specification with temporal logic operators Running SMV Debugging example  Example 2: traffic light controller Using case and default constructs Specifying assumptions Debugging examples  Example 3: buffer allocation controller Using iterator and chain constructs BDD limit  Part II – Compositional Verification 10/19/ SMV Tutorial

About SMV  SMV: Symbolic Model Verifier  SMV flavors  Cadence SMV (this tutorial) based on Ken McMillan’s work at CMU can do compositional verification  NuSMV open source System Description + Properties (.smv file) System Description + Properties (.smv file) Properties true? (model checking with SMV) Properties true? (model checking with SMV) Yes No (includes a counter example) 10/19/ SMV Tutorial ✔ ✖

Example 1: 2-way Arbiter  Arbitrate 2 nodes from accessing a shared resource  Specification  Node request(s) should result in a grant  Both grant signals (ack1, 2) never asserted at same time 10/19/ SMV Tutorial Node 1 Node 2 2-way Arbiter req1 ack2ack1 req2 A shared Resource

2-way Arbiter: SMV Description module main(req1,req2,ack1,ack2){ input req1,req2 : boolean; output ack1,ack2 : boolean; ack1 := req1; ack2 := req2 & ~req1; mutex : assert G ~(ack1 & ack2); serve : assert G ((req1 | req2) -> (ack1 | ack2)); waste1 : assert G (ack1 -> req1); waste2 : assert G (ack2 -> req2); } 10/19/ SMV Tutorial Node 1 Node 2 2-way Arbiter req1 ack2ack1 req2 A shared Resource

Specifying Correctness Properties with Temporal Logic Operators  The “global” operator (e.g., G p)  The “future” operator (e.g., F p)  The “until” operator (e.g., p U q)  The “next time” operator (e.g., X p) ppppppppppp… Gp … 10/19/ SMV Tutorial pppp Fp … … Fp pppp pUq … … pUq pppp

2-way Arbiter: Correctness Properties module main(req1,req2,ack1,ack2){ input req1,req2 : boolean; output ack1,ack2 : boolean; ack1 := req1; ack2 := req2 & ~req1; mutex : assert G ~(ack1 & ack2); serve : assert G ((req1 | req2) -> (ack1 | ack2)); waste1 : assert G (ack1 -> req1); waste2 : assert G (ack2 -> req2); } 10/19/ SMV Tutorial  Specification  Node request(s) should result in a grant  Both grant signals (ack1, 2) never asserted at same time

Cadence SMV Demonstration  Show running the 2-way arbiter example with SMV  Invoking SMV  Property panel  Running the verification all properties should be true for this example 10/19/ SMV Tutorial

2-way Arbiter: Starvation Property  Suppose that the arbiter should avoid starvation  i.e., we don’t want (lower priority) Node 2 requesting, and never granted access to the shared resource  For this, we add the following property no_starve : assert G F (~req2 | ack2);  i.e., it should “always eventually be true that either req2 is negated or ack2 is asserted” 10/19/ SMV Tutorial Node 1 Node 2 2-way Arbiter req1 ack2ack1 req2 A shared Resource ✔✖

Cadence SMV Demonstration  Show re-running the example with SMV  no_starve property should be false  walk-through the counter example given by SMV 10/19/ SMV Tutorial

2-way Arbiter: Starvation Avoidance  We can add a latch, bit  remembers whether ack1 was asserted previously  if so, give priority to Node 2 this time  The SMV description bit : boolean; next(bit) := ack1; if (bit) { /* ack1 asserted previously */ ack1 := req1 & ~req2; ack2 := req2;/* prioritize Node 2 */ } else { ack1 := req1;/* prioritize Node 1 */ ack2 := req2 & ~req1; } 10/19/ SMV Tutorial

Cadence SMV Demonstration  Show re-running the example with SMV  no_starve property should be true now  state variables (e.g., bit ), and their impact on state explosion 10/19/ SMV Tutorial

Example 2: Traffic Light Controller  Controls the traffic lights at an intersection module main(N_Sense,S_Sense,E_Sense,N_Go,S_Go,E_Go){ input N_Sense,S_Sense,E_Sense : boolean; output N_Go,S_Go,E_Go : boolean; NS_Lock : boolean; /* set when north or south traffic enabled */ N_Req, S_Req, E_Req : boolean; /* remember previous values of traffic sensor inputs */ init(N_Go):= 0; init(S_Go):= 0; init(E_Go):= 0; init(NS_Lock):= 0; init(N_Req):= 0; init(S_Req):= 0; init(E_Req):= 0; 10/19/ SMV Tutorial Controller N_Sense S_Sense E_Sense N_Go S_Go E_Go E_Sense ~E_Go N_Go S_Go Any car at the intersection? Should the traffic go?

Controller Logic  “Remembers” set sense bits default{ if(N_Sense) next(N_Req) := 1; if(S_Sense) next(S_Req) := 1; if(E_Sense) next(E_Req) := 1; }  North-going light in default case{ N_Req & ~N_Go & ~E_Req : { next(NS_Lock) := 1; /* set lock */ next(N_Go) := 1; /* turn on light */ } N_Go & ~N_Sense : { next(N_Go) := 0; /* turn off */ next(N_Req) := 0; /* clear history */ if(~S_Go) next(NS_Lock) := 0; /* unlock if South-going is off */ } 10/19/ SMV Tutorial N_Reg ~N_Go ~E_Reg ~N_Sense N_Go ~S_Go Prevent collision with East traffic Note 2: default {block1} in {block2} Means block2 takes precedence over block1 Note 2: default {block1} in {block2} Means block2 takes precedence over block1 Note 1: case{ cond1 : {block1} cond2 : {block2} cond3 : {block3} } Is same as if (cond1) {block1} else if (cond2) {block2} else if (cond3) {block3} Note 1: case{ cond1 : {block1} cond2 : {block2} cond3 : {block3} } Is same as if (cond1) {block1} else if (cond2) {block2} else if (cond3) {block3} Prioritize East traffic

Controller Logic  South-going light (similar to North-going) in default case{ S_Req & ~S_Go & ~E_Req : { next(NS_Lock) := 1; next(S_Go) := 1; } S_Go & ~S_Sense : { next(S_Go) := 0; next(S_Req) := 0; if(~N_Go) next(NS_Lock) := 0; }  East-going light in case{ E_Req & ~NS_Lock & ~E_Go : next(E_Go) := 1; /* turn on */ E_Go & ~E_Sense : { next(E_Go) := 0; /* turn off */ next(E_Req) := 0; /* clear history */ } 10/19/ SMV Tutorial E_Reg E_Go ~E_Go ~E_Sense

Specifications and Assumptions  Safety: light in cross directions never on at same time safety: assert G ~(E_Go & (N_Go | S_Go));  Liveness: no traffic waits forever N_live : assert G (N_Sense -> F N_Go); S_live : assert G (S_Sense -> F S_Go); E_live : assert G (E_Sense -> F E_Go);  Fairness assumptions: car don’t wait at green light forever  “always eventually, it is not the case that a car is at a green light” N_fair : assert G F ~(N_Sense & N_Go); S_fair : assert G F ~(S_Sense & S_Go); E_fair : assert G F ~(E_Sense & E_Go);  Setting up the proof using N_fair, S_fair, E_fair prove N_live, S_live, E_live; assume N_fair, S_fair, E_fair; 10/19/ SMV Tutorial

Bug 1: Safety  Cleared lock when south light goes off exactly when north light goes on  North light will be on w/o a lock  can cause collision w/ East traffic!  Caused by our use of default, which puts South light code at higher precedence than North light /* Original South light controller code */ in default case{ S_Req & ~S_Go & ~E_Req : { next(NS_Lock) := 1; next(S_Go) := 1; } S_Go & ~S_Sense : { next(S_Go) := 0; next(S_Req) := 0; if(~N_Go) next(NS_Lock) := 0; } 10/19/ SMV Tutorial  The fix: have South light code check whether North light about to go on before unlocking if( ~( N_Go | /* North light about to go on? */ N_Reg & ~N_Go & ~E_Reg) ) next(NS_Lock) := 0;

Bug 2: Liveness  Un-cleared lock when North & South go off same time  Lock stays on  “higher-priority” East light un-served  deadlocked!  Each North and South code block think the other light is still on, so no one clears the lock /* Original North light controller code */ in default case{ N_Req & ~N_Go & ~E_Req : { next(NS_Lock) := 1; next(N_Go) := 1; } N_Go & ~N_Sense : { next(N_Go) := 0; /* turn off */ next(N_Req) := 0; /* clear history */ if(~S_Go) next(NS_Lock) := 0; /* unlock if South-going is off */ } 10/19/ SMV Tutorial  The fix: give North light controller responsibility to turn off the lock when both lights are going off if( ~S_Go | /* South already off */ ~S_Sense) /* South will go off */ next(NS_Lock) := 0;

Example 3: Buffer Alloc. Controller  Controls the allocation and freeing of buffers #define SIZE 32 module main(alloc,nack,alloc_addr,free,free_addr) { input alloc : boolean; output nack : boolean; output alloc_addr : 0..(SIZE - 1); input free : boolean; input free_addr : 0..(SIZE - 1); busy : array 0..(SIZE - 1) of boolean; count : 0..(SIZE); 10/19/ SMV Tutorial alloc free free_addr nack alloc_addr Controller busy count Buffers SIZE

Controller Logic  Initialization /* bit 0 to (SIZE-1) is init to 0 using iterator expression */ init(busy) := [0 : i = 0..(SIZE-1)]; init(count) := 0;  Nack  when allocation is requested, but busy bit count is equal to buffer size  i.e., all entries are busy, no free buffer nack := alloc & (count = SIZE);  Count update  +1 when allocation requested, and no nack  -1 on free request on a busy buffer next(count) := count + (alloc & ~nack) - (free & busy[free_addr]); 10/19/ SMV Tutorial alloc free free_addr nack alloc_addr busy count

Controller Logic  Setting/clearing busy bits  Note: allocation takes precedence if buffer is freed and allocated at same time default{ /* free request */ if(free) next(busy[free_addr]) := 0; } in { /* allocation request AND buffer available (no nack) */ if(alloc & ~nack) next(busy[alloc_addr]) := 1; }  Choosing a buffer to allocate  scan from buffer 0 to SIZE-1, allocate the first one that’s free chain(i = (SIZE - 1); i >= 0; i = i - 1){ if(~busy[i]) alloc_addr := i; /* buffer available, output addr */ } 10/19/ SMV Tutorial alloc free free_addr nack alloc_addr busy count default { if(~busy[SIZE-1]) alloc_addr := SIZE-1 } in default { if(~busy[SIZE-2]) alloc_addr := SIZE-2 }... in default { if(~busy[0]) alloc_addr := 0 } default { if(~busy[SIZE-1]) alloc_addr := SIZE-1 } in default { if(~busy[SIZE-2]) alloc_addr := SIZE-2 }... in default { if(~busy[0]) alloc_addr := 0 }

Specification  Safety: buffer never allocated twice without being freed  note: we’ll write the specification for each buffer /* Helper signals */ for(i = 0; i < SIZE; i = i+1){ allocd[i], freed[i] : boolean; /* buffer i is being allocated */ allocd[i] := alloc & ~nack & alloc_addr = i; /* buffer i is being freed */ freed[i] := free & free_addr = i; } /* The specification */ for(i = 0; i < SIZE; i = i+1){ safe[i] : assert G (allocd[i] -> ~ X ((~freed[i]) U allocd[i])); } 10/19/ SMV Tutorial “if buffer i is allocated, then it is not the case that, starting at the next time, it remains unfreed until it is allocated a second time.” Alloc’d Used Alloc’d Used Freed Alloc’d ✔ ✖

BDD Limit  SMV uses symbolic model checking with BDD  Allows handling more states than explicit enumeration  Nevertheless, does not eliminate state explosion  For buffer allocation controller example – verifying safe[0]  Buffer size of 32  under 1 minute, 10 9 states reached  Buffer size of 64  10+ minutes, states reached  … eventually, state explosion! How can we scale further? 10/19/ SMV Tutorial

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.