Symbolic Model Verifier: Introduction

1
Symbolic Model Verifier Introduction

• Chien-Liang Chen (???)

2
Useful Link

• CMU Model Checking homepage
• http//www.cs.cmu.edu/modelcheck/smv.html
• Cadence SMV
• http//www-cad.eecs.berkeley.edu/kenmcmil/smv
• NuSMV
• http//nusmv.irst.itc.it/

3
SMVSymbolic Model Verifier

• Ken McMillan, Symbolic Model Checking An
  Approach to State Explosion Problem, 1993.
• Finite-state Systems described in a specialized
  language
• Specifications given as CTL formulas
• Internal representation using BDDs
• Automatically verifies specification or produce
  counterexamples

4
SMVSymbolic Model Verifier
5
SMVSymbolic Model Verifier

• SMV is a program that verifies whether a logic
  model ? representing a systems behaviour
  satisfies temporal logic (CTL) formulate f
  representing desired properties of the system
• ? f
• In SMV, the logic model is a symbolic
  representation of the systems reachable state
  space.
• Developed to verify synchronous circuits
• Extended to verify asychronous circuits
• Successfully used to verify models of reactive
  software system

6
Reactive Systems

• System interacts with its environment, monitoring
  and responding to environmental events
• Computation may not terminate
• System behaviour changes over time, in reaction
  to history of inputs
• Complexity is due to concurrency and interactions
  among components
• Examples operating systems, embedded systems,
  process-control systems, financial trading
  systems, automated banking machines, etc.

7
Compared to Transformational Programs

• Program computes a function from inputs to
  outputs
• Complexity is in data transformations
• Examples compilers, filters, payroll systems,
  scientific computations

8
SMV Modelling

• Goal is to describe control and interaction.
  Hence, no complex data structures, not much data
  manipulation.
• SMV Language Communicating Finite State Machines
  (FSMs with variables and communication channels)
• System may consist of several modules
• Modules consist of several simple parallel
  assignments
• Model may also specify constraints on
  environments behaviour

9
SMV Modelling

• A system is described as a set of modules. Each
  module is a reactive system interacting with
  other modules and the systems environment.
• Each module has variables that it reacts to, and
  that it manipulates.
• In each module, there are variable declarations,
  variable assignments, and properties that we want
  to check.
• The main module is like a main program. In the
  simplest SMV descriptions, we use only the main
  module and no sub-modules.
• Modules can be parameterized, and the main module
  can create instances of modules to describe the
  system.

10
SMV Modelling

• Recall, that the SMV modelling notation is used
  to describe communicating finite state machines.
• It consists of a set of modules, with one main
  module.
• In each module there are
• variables declarations,
• variable initialization,
• assignments, and
• properties that we want to check.

11
Symbolic Model Verifier

• SMV language
• Module
• Module name
• VAR
• Variable declaration
• Boolean, Bounded Integer, Enumerated
• ASSIGN
• Initial and next value of variables
• DEFINE
• Macros
• TRANS
• Constraint on systems transition relation
• SPEC
• Property to check

12
Symbolic Model Verifier

• SMV language
• INIT
• The set of initial states of the model
• INVAR
• The set of all states of the model restrict to
  those that satisfy a Boolean expression under the
  INVAR keyword.

13
Data types and type declarations
14
Boolean, enumerated and subrange types
15
Arrays

• An array of signals is declared in the following
  way
• ltsignalgt array ltxgt..ltygt of lttypegt
• This declares a collection of signals of type
  lttypegt, with subscripts running from ltxgt to ltygt.
  For example, the declaration
• zip array 2..0 of boolean
• is equivalent to declaring.
• zip2 boolean
• zip1 boolean
• zip0 boolean

16
Multidimensional arrays

• Arrays of arrays can also be declared. For
  example,
• matrix array 0..1 of array 2..0 of boolean
• is equivalent to
• matrix0 array 2..0 of boolean
• matrix1 array 2..0 of boolean
• The boolean signals declared in this way are
• matrix00 matrix01 matrix02
• matrix10 matrix11 matrix12

17
Generic arrays

• Note that an array in SMV is not really a data
  type. It is simply a collection of signals with
  similar names. This means that it is possible to
  declare an array'' whose elements have
  different types, by simply declaring the elements
  individually. For example
• state0 ready, willing
• state1 ready, willing, able
• state2 ready, willing, able, exhausted

18
Structure

• A structure is a collection of signals that are
  referred to by symbolic names, rather than
  numeric subscripts. A structure declarion has
  this form
• foo struct
• c1 type1
• c2 type2
• ...
• cn typen
• where c1...cn are symbolic names. This
  declaration is exactly equivalent to the
  declarations
• foo.c1 type1
• foo.c2 type1
• ..
• foo.cn type1
• That is, like an array, a structure is simply a
  collection of signals with similar names.

19
Arithmetic Operators
20
Comparison Operators
21
Boolean Operators

• The boolean operators are
• '', for logical and,
• '' for logical or,
• '' for logical not,
• '' for exclusive or ,
• -gt'' for implies, and
• lt-gt'' for if-and-only-if (exclusive nor).
• The boolean values are 0 (false) and 1 (true).

22
Signals and assignments

• A value of a signal is an infinite sequence of
  values of a given type. For example,
• 0101...
• is a sequence of type boolean (of course, it is
  also an integer sequence). Normally, we
  interpreted this sequence as being a seqeunce of
  values occurring over time, although this
  interpretation is not necessary.

23
Operations on signals

• An operator is applied to a signal value one
  element at a time. For example, the operator
  stands for logical not''. Thus if
• foo 0101...
• then
• foo 1010...
• That is, it is the result of applying logical
  not'' to each element of the sequence.
  Similarly, stands for logical and''. Thus, if
• foo 0101...
• and bar 0011...
• then
• foo bar 0001...

24
Assignments

• An assignment is of the form
• ltsignalgt ltexprgt
• where ltexprgt is an expression that combines other
  signals using operators like and . Unlike an
  assignent in a typical procedural'' language,
  this assignment means exactly what it says that
  ltsignalgt is equal to ltexprgt. So for example,
  suppose we make the assignment
• zip foo bar

25
Rules for assignments

• An SMV program amounts simply to a system of
  simultaneous equations, with a set of unkowns
  that are the declared signals. With an arbitrary
  set of equations, there is, of course, no
  guarantee that a solution exists, or that the
  solution is unique. Examples of systems that have
  no solutions are
• x x 1
• or
• next(x) x 1
• next(x) x - 1
• An example of a system with many solutions is
• x y
• y x

26
Rules for assignments

• The single assignment rule - each signal may be
  assigned only once.
• The circular dependency rule - a program may not
  have cycles'' in its dependency graph that are
  not broken by delays.

27
Nondeterministic assignments

• Non-determinism more than one outcome possible.
• Non-deterministic assignments
• x 1,2,3,4
• Undefined assignments
• A variable of undefined value may take on any
  value in its type. See examples next page. Note
  undefined assignments are not a good idea!

28
Undefined Assignments
29
Unit delay assignments - the next'' operator

• If x is a signal, then next(x) is, intuitively,
  the next'' value of x. More precisely, the i-th
  value of next(x) is equal to the (i1)st value of
  x. Thus, for example, if x 0,1,2,3,... Then
  next(x) 1,2,3,4,...
• For example, assuming x and y are boolean
  signals, next(x) y x
• We can determine this initial value by assigning
• init(x) 0
• In this case, if we had
• y 0101...
• we would get
• x 00110011...

30
Conditionals
31
Conditionals
32
Conditionals
33
Defaults

• The default'' construct provides a way of
  automatically filling in the cases where a signal
  is undefined with a default value. The syntax is
  
• default
• ltstmt1gt
• in
• ltstmt2gt
• The effect of this statement is to use the
  assignments in ltstmt1gt in any cases in ltstmt2gt
  where the given signal is unassigned.

34
Defaults
35
Complex conditionals - switch and case
36
Complex conditionals - switch and case
37
Complex conditionals - switch and case
38
Complex conditionals - switch and case
39
Basic for-loops

• For example,
• for(i 0 i lt 3 i i 1)
• xi i
• is in every way equivalent to
• x0 0
• x1 1
• x2 2
• The general form of the loop is
• for(var init cond var next)
• ltstmtgt

40
Kripke structure
MODULE main VAR state s0, s1, s2 ASSIGN
init(state) s0 next(state) case
states0 s1 states1 s2
states2 s2, s0 1 state
esac DEFINE p states0 q
states2 SPEC AG(p ? AFq) SPEC AG AF p
s0
p
s2
s1
q
? true
? false Counter example s0,s1,s2,s2,s2
Kripke structure
SMV code
41
Ready-Busy Example
MODULE main VAR request boolean task_done
boolean state ready, busy ASSIGN
Init(state) ready next(state) case
state ready request busy state busy
task_done ready 1 state esac
42
Modules

• Module declarations
• Instantiations
• Input and output declarations
• Instance hierarchies
• Structured data types
• Defined types

43
Module declarations
44
Instantiations
45
Input and output declarations
46
Instance hierarchies
47
Instance hierarchies
48
Structured data types
49
Structured data types
50
Defined types
51
(No Transcript)
52
(No Transcript)
53
(No Transcript)
54
(No Transcript)
55
(No Transcript)
56
(No Transcript)
57
(No Transcript)
58
(No Transcript)
59
(No Transcript)
60
(No Transcript)
61
(No Transcript)
62
(No Transcript)
63
(No Transcript)
64
(No Transcript)
65
(No Transcript)
66
(No Transcript)
67
(No Transcript)
68
(No Transcript)
69
(No Transcript)
70
(No Transcript)