2/18/20051 introduction to smv. 2/18/20052 symbolic model verifier ken mcmillan, symbolic model...
Post on 21-Dec-2015
229 views
TRANSCRIPT
2/18/2005 1
Introduction to SMV
2/18/2005 2
Symbolic Model Verifier Ken McMillan, Symbolic Model
Checking: An Approach to the State Explosion Problem, 1993.
Finite-state Systems described in a specialized language
Specifications given as CTL formulas Internal representation using OBDDs Automatically verifies specification or
produces a counterexample
2/18/2005 3
Overview of SMV
SMV Input Language
Finite State Kripke Structure
Specification – CTL Formula
OBDD based Symbolic Model Checking
Yes
No
CounterExample
Backend
2/18/2005 4
Language Characteristics Allows description of completely
synchronous to asynchronous systems, detailed to abstract systems
Modularized and hierarchical descriptions
Finite data types: Boolean and enumerated
2/18/2005 5
Language Characteristics (cont..)
Parallel-assignment syntax
Non-determinism
2/18/2005 6
A Sample SMV Program
MODULE mainVAR request: boolean; state: {ready, busy};ASSIGN init(state) := ready; next(state) :=
casestate=ready & request: busy;1: {ready, busy};
esac;SPEC AG(request -> AF (state = busy))
2/18/2005 7
SMV Syntax - ExpressionsExpr :: atom ;; symbolic constant | number ;; numeric constant | id ;; variable identifier | “!” expr ;; logical not | expr1 <op> expr2 | “next” “(“ id “)” ;; next value | case_expr | set_expr
2/18/2005 8
The Case ExpressionCase_expr :: “case” expr_a1 “:” expr_b2 “;” … expr_an “:” expr_bn “;” “esac” Guards are evaluated sequentially. The first one that is true determines the
resulting value If none of the guards are true, result is
numeric value 1
2/18/2005 9
State Variables
Decl :: “VAR” atom1 “:” type1 “;” atom2 “:” type2 “;” … State is an assignment of values to
a set of state variables Type of a variable – boolean, scalar,
user defined module, or array.
2/18/2005 10
ASSIGN declaration
Decl :: “ASSIGN” dest1 “:=“ expr1 “;” dest2 “:=“ expr2 “;” …Dest :: atom | “init” “(“ atom “)” | “next” “(“ atom “)”
2/18/2005 11
Variable Assignments
Assignment to initial state: init(value) := 0;
Assignment to next state (transition relation)next(value) := value + carry_in mod 2;
Assignment to current state (invariant)carry_out := value & carry_in;
Either init-next or invar should be used, but not both
SMV is a parallel assignment language
2/18/2005 12
Circular definitions … are not allowed! This is illegal:
a := next(b);next(b) := c;c := a;
This is o.k. init(a) := 0;
next(a) := !b;
init(b) := 1;next(b) := !a;
2/18/2005 13
Nondeterminism
Completely unassigned variable can model unconstrained input.
{val_1, …, val_n} is an expression taking on any of the given values nondeterministically.
Nondeterministic choice can be used to: Model an implementation that has not been
refined yet Abstract behavior
2/18/2005 14
ASSIGN and DEFINE
VAR a: boolean;ASSIGN a := b | c; declares a new state variable a becomes part of invariant relation
DEFINE d:= b | c; is effectively a macro definition, each
occurrence of d is replaced by b | c no extra BDD variable is generated for d the BDD for b | c becomes part of each
expression using d
2/18/2005 15
SPEC declaration Decl :: “SPEC” ctlform Ctlform :: expr ;; bool expression | “!” ctlform | ctlform1 <op> ctlform2 | “E” pathform | “A” pathform Pathform :: “X” ctlform | “F” ctlform | “G” ctlform | ctlform1 “U” ctlform2
2/18/2005 16
Modules and Hierarchy
Modules can be instantiated many times, each instantiation creates a copy of the local variables
Each program has a module main
Scoping Variables declared outside a module can be
passed as parameters
Parameters are passed by reference.
2/18/2005 17
Pass by referenceDEFINE a := 0;VAR b : bar(a);…MODULE bar(x)DEFINE a := 1; y := x;
2/18/2005 18
Pass by reference
…VAR a : boolean; b : foo(a);…MODULE foo(x)ASSIGN x:=1;
2/18/2005 19
MODULE mainVAR
bit0 : counter_cell(1);bit1 : counter_cell(bit0.carry_out);
bit2 : counter_cell(bit1.carry_out);SPEC AG AF bit2.carry_out
MODULE counter_cell(carry_in)VAR value : boolean;ASSIGN init(value) := 0; next(value) := value + carry_in mod 2;DEFINE carry_out := value & carry_in;
2/18/2005 20
Module Composition
Synchronous composition All assignments are executed in parallel and
synchronously. A single step of the resulting model
corresponds to a step in each of the components.
Asynchronous composition A step of the composition is a step by exactly
one process. Variables, not assigned in that process, are left
unchanged.
2/18/2005 21
Asynchronous Composition
MODULE mainVAR
gate1: process inverter(gate3.output);gate2: process inverter(gate1.output);gate3: process inverter(gate2.output);
SPEC (AG AF gate1.output) & (AG AF !gate1.output)
MODULE inverter(input)VAR output: boolean;ASSIGN init(output) := 0; next(output) := !input;
2/18/2005 22
Fairness FAIRNESS ctl_formulae
Assumed to be true infinitely often Model checker only explores paths satisfying
fairness constraint Each fairness constraint must be true infinitely
often
If there are no fair paths All existential formulas are false All universal formulas are true
FAIRNESS running
2/18/2005 23
With Fairness..MODULE mainVAR
gate1: process inverter(gate3.output);gate2: process inverter(gate1.output);gate3: process inverter(gate2.output);
SPEC (AG AF gate1.output) & (AG AF !gate1.output)
MODULE inverter(input)VAR output: boolean;ASSIGN init(output) := 0; next(output) := !input;
FAIRNESS running
2/18/2005 24
Counter revisited
MODULE mainVAR count_enable : boolean; bit0 : counter_cell(count_enable); bit1 : counter_cell(bit0.carr_out); bit2 : counter_cell(bit1.carry_out);SPEC AG AF bit2.carry_outFAIRNESS count_enable
2/18/2005 25
Synchronous vs Asynchronous• In Asynchronous process, need not
combine transition relation of each process
• Complexity of representing set of states reachable in n steps higher in asynchronous processes occassionally due to higher number of interleavings
2/18/2005 26
Implicit Modelling TRANS - boolean valued expr
restricting transition relation of system
INIT - boolean valued expression giving initial states
INVAR - boolean valued expression restricting set of all states of model
2/18/2005 27
Implicit Modelling ExampleMODULE mainVAR gate1 : inverter(gate3.output); gate2 : inverter(gate1.output); gate3 : inverter(gate2.output);SPEC (AG AF gate1.out) & (AG AF !gate1.out)
MODULE inverter(input)VAR Output : boolean;INIT output = 0;TRANS next(output) = !input | next(output) = output
2/18/2005 28
TRANS
Advantages• Group assignments to different variables• Good for modelling guarded commands
Disadvantages• Logical absurdities can lead to
unimplementable descriptions
2/18/2005 29
Shared Data ExampleTwo Users assign pid to shared data in turnMODULE mainVAR data : boolean; turn : boolean; user0 : user(0, data, turn); user1 : user(1, data, turn);ASSIGN next(turn) := !turn;SPEC AG (AF data & AF (!data))
2/18/2005 30
Shared data example (cont..)Using ASSIGN and CASE statement won’t
work(constraining sema all the time)MODULE user(pid, data, turn)ASSIGN next(data) := case turn: pid; 1 : data; esac;
Line 3: multiple assignment: next(data)
2/18/2005 31
Using TRANS
TRANS useful for changing shared data in synchronous system between modules.
MODULE user(pid, turn, data)TRANS turn -> next(data) = pid
2/18/2005 32
Guarded CommandsGuard1 : action1Guard2 : action2.. Otherwise nop
TRANS (guard1 & action1)|(guard2 & action2)|…(!guard1 & !guard2 & … & “nop”)
2/18/2005 33
TRANS Pitfall
True -> next(b) = 0 &True -> next(b) = 1 & …
Results in an empty transition relation
2/18/2005 34
TRANS Guidelines Try using ASSIGN instead Write in a disjunction of conjunction
format Try covering all cases Try make guards disjoint
2/18/2005 35
SMV Steps Read_Model : read model from input smv
file Flatten_hierarchy : instantiate modules
and processes Build_model : compile the model into
BDDs (initial state, invar, transition relation)
Check_spec : checking specification bottom up
2/18/2005 36
Run SMV smv [options] inputfile
-c cache-size for BDD operations -k key-table-size for BDD nodes -v verbose -int interactive mode -r
prints out statistics about reachable state space
2/18/2005 37
SMV Options –f
computes set of reachable states first Model checking algorithm traverses
only the set of reachable states instead of complete state space.
useful if reachable state space is a small fraction of total state space
2/18/2005 38
SMV Options: Reordering vars Variable reordering is crucial for small BDD sizes
and speed.
Generally, variables which are related need to be close in the ordering.
–i filename –o filename Input, output BDD variable ordering to given file.
-reorder Invokes automatic variable reordering
2/18/2005 39
SMV Options: Transition relation
smv -cp part_limit
Conjunctive Partitioning: Transition relation not evaluated as a whole, instead individual next() assignments are grouped into partitions that do not exceed part_limit
Uses less memory and benefits from early quantification
2/18/2005 40
SMV options: -inc Perform incremental evaluation of
the transition relation At each step in forward search,
transition relation restriced to reached state set
Cuts down on size of transition relation with overhead of extra computation
2/18/2005 41
Example: Client & ServerMODULE client (ack)VAR state : {idle, requesting}; req : boolean;
ASSIGN init(state) := idle; next(state) := case state=idle : {idle, requesting}; state=requesting & ack : {idle, requesting}; 1 : state; esac;
req := (state=requesting);
2/18/2005 42
MODULE server (req)
VAR state : {idle, pending, acking}; ack : boolean;
ASSIGN next(state) := case state=idle & req : pending; state=pending : {pending, acking}; state=acking & req : pending; state=acking & !req : idle; 1 : state; esac;
ack := (state = acking);
2/18/2005 43
Is the specification true?MODULE mainVAR c : client(s.ack); s : server(c.req);
SPEC AG (c.req -> AF s.ack)
Need fairness constraint: Suggestion:
FAIRNESS s.ack Why is this bad? Solution:
FAIRNESS (c.req -> s.ack)
2/18/2005 44
NuSMV Specifications expressible in CTL, LTL and
Real time CTL logics Provides both BDD and SAT based model
checking. Uses a number of heuristics for achieving
efficiency and control state explosion Higher number of features in interactive
mode
2/18/2005 45
Cadence SMV Provides “compositional
techniques” to verify large complex systems by decomposition to smaller problems.
Provides a variety of techniques for refinement verification, symmetry reductions, uninterpreted functions, data type reductions.
2/18/2005 46
Useful Links
SMV sources, binaries and manualshttp://www.cs.cmu.edu/~modelcheck/smv.html
SMV man page http://www.cs.cmu.edu/~dongw/smv.txt
SMV manualhttp://www.cs.cmu.edu/~modelcheck/smv/smvmanual.ps
Tutorial on verification techniques using Cadence SMVhttp://www-cad.eecs.berkeley.edu/~kenmcmil/tutorial.ps
SMV Input Language documentationhttp://www-cad.eecs.berkeley.edu/~kenmcmil/psdoc.html
2/18/2005 47
Downloads SMVwww.cs.cmu.edu/~modelcheck/smv.html NuSMVhttp://nusmv.irst.itc.it/ Cadence SMVhttp://wwwcad.eecs.berkeley.edu/~kenmcmil/smv