Introduction to SMV 2182005 1 Symbolic Model Verifier
Introduction to SMV 2/18/2005 1
Symbolic Model Verifier n n n Ken Mc. Millan, Symbolic Model Checking: An Approach to the State Explosion Problem, 1993. Finite-state Systems described in a specialized language Specifications given as CTL formulas Internal representation using OBDDs Automatically verifies specification or produces a counterexample 2/18/2005 2
Overview of SMV Input Language Finite State Kripke Structure Backend OBDD based Symbolic Model Checking Yes Specification – CTL Formula No Counter. Example 2/18/2005 3
Language Characteristics n Allows description of completely synchronous to asynchronous systems, detailed to abstract systems n Modularized and hierarchical descriptions n Finite data types: Boolean and enumerated 2/18/2005 4
Language Characteristics (cont. . ) n Parallel-assignment syntax n Non-determinism 2/18/2005 5
A Sample SMV Program MODULE main VAR request: boolean; state: {ready, busy}; ASSIGN init(state) : = ready; next(state) : = case state=ready & request: busy; 1: {ready, busy}; esac; SPEC AG(request -> AF (state = busy)) 2/18/2005 6
SMV Syntax - Expressions Expr : : atom ; ; symbolic constant | number ; ; numeric constant | id ; ; variable identifier | “!” expr ; ; logical not | expr 1 <op> expr 2 | “next” “(“ id “)” ; ; next value | case_expr | set_expr 2/18/2005 7
The Case Expression Case_expr : : “case” expr_a 1 “: ” expr_b 2 “; ” … expr_an “: ” expr_bn “; ” “esac” n Guards are evaluated sequentially. n The first one that is true determines the resulting value n If none of the guards are true, result is numeric value 1 2/18/2005 8
State Variables Decl : : “VAR” atom 1 “: ” type 1 “; ” atom 2 “: ” type 2 “; ” … § State is an assignment of values to a set of state variables § Type of a variable – boolean, scalar, user defined module, or array. 2/18/2005 9
ASSIGN declaration Decl : : “ASSIGN” dest 1 “: =“ expr 1 “; ” dest 2 “: =“ expr 2 “; ” … Dest : : atom | “init” “(“ atom “)” | “next” “(“ atom “)” 2/18/2005 10
Variable Assignments n n n Assignment to initial state: init(value) : = 0; Assignment to next state (transition relation) next(value) : = value + carry_in mod 2; Assignment to current state (invariant) carry_out : = value & carry_in; Either init-next or invar should be used, but not both SMV is a parallel assignment language 2/18/2005 11
Circular definitions n n … are not allowed! This is illegal: n n a : = next(b); next(b) : = c; c : = a; This is o. k. n init(a) : = 0; next(a) : = !b; init(b) : = 1; next(b) : = !a; 2/18/2005 12
Nondeterminism n n n Completely unassigned variable can model unconstrained input. {val_1, …, val_n} is an expression taking on any of the given values nondeterministically. Nondeterministic choice can be used to: n n Model an implementation that has not been refined yet Abstract behavior 2/18/2005 13
ASSIGN and DEFINE n n VAR a: boolean; ASSIGN a : = b | c; n declares a new state variable a n becomes part of invariant relation DEFINE d: = b | c; n n n is effectively a macro definition, each occurrence of d is replaced by b | c no extra BDD variable is generated for d the BDD for b | c becomes part of each expression using d 2/18/2005 14
SPEC declaration n Decl : : “SPEC” ctlform Ctlform : : expr ; ; bool expression | “!” ctlform | ctlform 1 <op> ctlform 2 | “E” pathform | “A” pathform Pathform : : “X” ctlform | “F” ctlform | “G” ctlform | ctlform 1 “U” ctlform 2 2/18/2005 15
Modules and Hierarchy n Modules can be instantiated many times, each instantiation creates a copy of the local variables n Each program has a module main n Scoping n n Variables declared outside a module can be passed as parameters Parameters are passed by reference. 2/18/2005 16
Pass by reference DEFINE a : = 0; VAR b : bar(a); … MODULE bar(x) DEFINE a : = 1; y : = x; 2/18/2005 17
Pass by reference … VAR a : boolean; b : foo(a); … MODULE foo(x) ASSIGN x: =1; 2/18/2005 18
MODULE main VAR bit 0 : counter_cell(1); bit 1 : counter_cell(bit 0. carry_out); bit 2 : counter_cell(bit 1. carry_out); SPEC AG AF bit 2. carry_out MODULE counter_cell(carry_in) VAR value : boolean; ASSIGN init(value) : = 0; next(value) : = value + carry_in mod 2; DEFINE carry_out : = value & carry_in; 2/18/2005 19
Module Composition n Synchronous composition n All assignments are executed in parallel and synchronously. A single step of the resulting model corresponds to a step in each of the components. Asynchronous composition n n A step of the composition is a step by exactly one process. Variables, not assigned in that process, are left unchanged. 2/18/2005 20
Asynchronous Composition MODULE main VAR gate 1: process inverter(gate 3. output); gate 2: process inverter(gate 1. output); gate 3: process inverter(gate 2. output); SPEC (AG AF gate 1. output) & (AG AF !gate 1. output) MODULE inverter(input) VAR output: boolean; ASSIGN init(output) : = 0; next(output) : = !input; 2/18/2005 21
Fairness n FAIRNESS ctl_formulae n n If there are no fair paths n n n Assumed to be true infinitely often Model checker only explores paths satisfying fairness constraint Each fairness constraint must be true infinitely often All existential formulas are false All universal formulas are true FAIRNESS running 2/18/2005 22
With Fairness. . MODULE main VAR gate 1: process inverter(gate 3. output); gate 2: process inverter(gate 1. output); gate 3: process inverter(gate 2. output); SPEC (AG AF gate 1. output) & (AG AF !gate 1. output) MODULE inverter(input) VAR output: boolean; ASSIGN init(output) : = 0; next(output) : = !input; FAIRNESS running 2/18/2005 23
Counter revisited MODULE main VAR count_enable : boolean; bit 0 : counter_cell(count_enable); bit 1 : counter_cell(bit 0. carr_out); bit 2 : counter_cell(bit 1. carry_out); SPEC AG AF bit 2. carry_out FAIRNESS count_enable 2/18/2005 24
Synchronous vs Asynchronous • • In Asynchronous process, need not combine transition relation of each process Complexity of representing set of states reachable in n steps higher in asynchronous processes occassionally due to higher number of interleavings 2/18/2005 25
Implicit Modelling n n n TRANS - boolean valued expr restricting transition relation of system INIT - boolean valued expression giving initial states INVAR - boolean valued expression restricting set of all states of model 2/18/2005 26
Implicit Modelling Example MODULE main VAR gate 1 : inverter(gate 3. output); gate 2 : inverter(gate 1. output); gate 3 : inverter(gate 2. output); SPEC (AG AF gate 1. out) & (AG AF !gate 1. out) MODULE inverter(input) VAR Output : boolean; INIT output = 0; TRANS next(output) = !input | next(output) = output 2/18/2005 27
TRANS Advantages • Group assignments to different variables • Good for modelling guarded commands Disadvantages • Logical absurdities can lead to unimplementable descriptions 2/18/2005 28
Shared Data Example Two Users assign pid to shared data in turn MODULE main VAR data : boolean; turn : boolean; user 0 : user(0, data, turn); user 1 : user(1, data, turn); ASSIGN next(turn) : = !turn; SPEC AG (AF data & AF (!data)) 2/18/2005 29
Shared data example (cont. . ) Using ASSIGN and CASE statement won’t work(constraining sema all the time) MODULE user(pid, data, turn) ASSIGN next(data) : = case turn: pid; 1 : data; esac; Line 3: multiple assignment: next(data) 2/18/2005 30
Using TRANS useful for changing shared data in synchronous system between modules. MODULE user(pid, turn, data) TRANS turn -> next(data) = pid 2/18/2005 31
Guarded Commands Guard 1 : action 1 Guard 2 : action 2. . Otherwise nop TRANS (guard 1 & action 1)| (guard 2 & action 2)| … (!guard 1 & !guard 2 & … & “nop”) 2/18/2005 32
TRANS Pitfall True -> next(b) = 0 & True -> next(b) = 1 & … Results in an empty transition relation 2/18/2005 33
TRANS Guidelines n n Try using ASSIGN instead Write in a disjunction of conjunction format Try covering all cases Try make guards disjoint 2/18/2005 34
SMV Steps n n Read_Model : read model from input smv file Flatten_hierarchy : instantiate modules and processes Build_model : compile the model into BDDs (initial state, invar, transition relation) Check_spec : checking specification bottom up 2/18/2005 35
![Run SMV n smv [options] inputfile n n n -c cache-size for BDD operations](http://slidetodoc.com/presentation_image_h/a8e3f49bae6eff1f25664a062849ebcf/image-36.jpg "Run SMV n smv [options] inputfile n n n -c cache-size for BDD operations")
Run SMV n smv [options] inputfile n n n -c cache-size for BDD operations -k key-table-size for BDD nodes -v verbose -int interactive mode -r n 2/18/2005 prints out statistics about reachable state space 36
SMV Options n –f n n n computes set of reachable states first Model checking algorithm traverses only the set of reachable states instead of complete state space. useful if reachable state space is a small fraction of total state space 2/18/2005 37
SMV Options: Reordering vars n n n Variable reordering is crucial for small BDD sizes and speed. Generally, variables which are related need to be close in the ordering. –i filename –o filename n n Input, output BDD variable ordering to given file. -reorder n Invokes automatic variable reordering 2/18/2005 38
SMV Options: Transition relation smv -cp part_limit § § Conjunctive Partitioning: Transition relation not evaluated as a whole, instead individual next() assignments are grouped into partitions that do not exceed part_limit Uses less memory and benefits from early quantification 2/18/2005 39
SMV options: -inc § § § Perform incremental evaluation of the transition relation At each step in forward search, transition relation restriced to reached state set Cuts down on size of transition relation with overhead of extra computation 2/18/2005 40
Example: Client & Server MODULE client (ack) VAR state : {idle, requesting}; req : boolean; ASSIGN init(state) : = idle; next(state) : = case state=idle : {idle, requesting}; state=requesting & ack : {idle, requesting}; 1 : state; esac; req : = (state=requesting); 2/18/2005 41
MODULE server (req) VAR state : {idle, pending, acking}; ack : boolean; ASSIGN next(state) : = case state=idle & req : pending; state=pending : {pending, acking}; state=acking & req : pending; state=acking & !req : idle; 1 : state; esac; ack : = (state = acking); 2/18/2005 42
Is the specification true? MODULE main VAR c : client(s. ack); s : server(c. req); SPEC AG (c. req -> AF s. ack) n Need fairness constraint: n n n Suggestion: FAIRNESS s. ack Why is this bad? Solution: FAIRNESS (c. req -> s. ack) 2/18/2005 43
Nu. SMV n n Specifications expressible in CTL, LTL and Real time CTL logics Provides both BDD and SAT based model checking. Uses a number of heuristics for achieving efficiency and control state explosion Higher number of features in interactive mode 2/18/2005 44
Cadence SMV n n Provides “compositional techniques” to verify large complex systems by decomposition to smaller problems. Provides a variety of techniques for refinement verification, symmetry reductions, uninterpreted functions, data type reductions. 2/18/2005 45
Useful Links n n SMV sources, binaries and manuals http: //www. cs. cmu. edu/~modelcheck/smv. html SMV man page http: //www. cs. cmu. edu/~dongw/smv. txt n SMV manual n Tutorial on verification techniques using Cadence SMV n SMV Input Language documentation http: //www. cs. cmu. edu/~modelcheck/smvmanual. ps http: //www-cad. eecs. berkeley. edu/~kenmcmil/tutorial. ps http: //www-cad. eecs. berkeley. edu/~kenmcmil/psdoc. html 2/18/2005 46
Downloads SMV www. cs. cmu. edu/~modelcheck/smv. html n Nu. SMV http: //nusmv. irst. itc. it/ n Cadence SMV http: //wwwcad. eecs. berkeley. edu/~kenmcmil/s mv n 2/18/2005 47
- Slides: 47