© 2011 Carnegie Mellon University Introduction to SMV Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others2 © 2011 Carnegie Mellon University 2/18/2005!2 Symbolic Model Verifier (SMV) Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem, 1993. Finite-state Systems described in a specialized language Specifications given as CTL formulas Internal representation using ROBDDs Automatically verifies specification or produces a counterexample3 © 2011 Carnegie Mellon University 2/18/2005!3 Overview of SMV SMV Input Language Finite State Kripke Structure Specification – CTL Formula OBDD based Symbolic Model Checking Yes No CounterExample Backend4 © 2011 Carnegie Mellon University SMV Variants CMU SMV Cadence SMV NuSMV l Strong abstraction functions l GUI l New language l Oldest Version l No GUI Two versions l 2.x: Open Source, many new features, BDD and SAT based backends l 1.x: Original version, had a GUI5 © 2011 Carnegie Mellon University NuSMV2 Architecture6 © 2011 Carnegie Mellon University SMV Language Allows description of completely synchronous to asynchronous systems, detailed to abstract systems Modularized and hierarchical descriptions Finite data types: Boolean and enumerated Parallel-assignment syntax Non-determinism7 © 2011 Carnegie Mellon University 2/18/2005!7 A Sample SMV Program (short.smv) MODULE!main!VAR*!!!!!request:!boolean;!!!!!!state:!{ready,!busy};!ASSIGN*!!!!!init(state)!:=!ready;!!!!!!next(state)!:=!!!case!!!!state=ready!&!request:!busy;!!!!TRUE !:!{ready,!busy};!!esac;!SPEC!AG(request!B>!AF!(state!=!busy))!8 © 2011 Carnegie Mellon University 8 ready !request busy !request ready request busy request Kripke structure Computation tree ready request busy !request busy request holds after one step busy request holds in the initial state AG(request*8>*AF*(state*=*busy))9 © 2011 Carnegie Mellon University MODULE!main!VAR*!!!!!request:!boolean;!!!!!!state:!{ready,!busy};!ASSIGN*!!!!!init(state)!:=!ready;!!!!!!next(state)!:=!!!case!!!state=ready!&!request:!busy;!!!TRUE ! !!!!!:!{ready,!busy};!!esac;!!SPEC!AG(request!B>!AX!(state!=!busy))!A Sample SMV Program (short.smv) 2/18/2005!9 what if AF is changed to AX ?10 © 2011 Carnegie Mellon University 10 ready !request busy !request ready request busy request AG(request!B>!AX!(state!=!busy))!is false11 © 2011 Carnegie Mellon University SMV Syntax: Expressions Expr!::!!!!!!!!!!atom!!!!!!!!!!!!!!!!!!!!!!BB!symbolic!constant!!!!!!!|!number!!!!!!!!!!!!!!!!!!!!BB!numeric!constant!!!!!!!|!id!!!!!!!!!!!!!!!!!!!!!!!!BB!variable!identifier!!!!!!!|!“!”!Expr!!!!!!!!!!!!!!!!!!BB!logical!not!!!!!!!|!Expr!&!Expr! !!!BB!logical!and!!!!!!!|!Expr!|!Expr!!!!!!!!!!!!!!!BB!logical!or!!!!!!!!|!Expr!B>!Expr!!!!!!!!!!!!!!BB!logical!implication!!!!!!!|!Expr!<B>!Expr!!!!!!!!!!!!!BB!logical!equivalence!!!!!!!|!“next”!“(“!id!“)”!!!!!!!!!BB!next!value!!!!!!!|!Case_expr!!!!!!!!!!!!!!!!!!!!|!Set_expr!!12 © 2011 Carnegie Mellon University The Case Expression Case_expr!::!“case”!!!!!!!!!!!!!!!!!!!expr_a1!“:”!expr_b2!“;”!!!!!!!!!!!!!!!!!!!!!!!!!!…!!!!!!!!!!!!!!!!!!!expr_an!“:”!expr_bn!“;”!!!!!!!!!!!!!!!“esac”!!Guards are evaluated sequentially The first one that is true determines the resulting value Cases must be exhaustive It is an error if all expressions on the left hand side evaluate to FALSE13 © 2011 Carnegie Mellon University Variables and Assignments Decl!::!“VAR”!!!!!!!!!!!atom1!“:”!type1!“;”!!!!!!!!!!!atom2!“:”!type2!“;”!!!!!!!!!!!!!!…!!Decl!::!“ASSIGN”!!!!!!!!!!!!dest1!“:=“!Expr1!“;”!!!!!!!!!!!dest2!“:=“!Expr2!“;”!!!!!!!!!!!!!!!!!…!Dest!::!!!!!!atom ! !!!BB!current!!!!!!!!!!!!|!“init”!“(“!atom!“)”! !BB!initial!!!!!!!!!!!!!|!“next”!“(“!atom!“)”! !BB!nextBstate!!!14 © 2011 Carnegie Mellon University Variables and Assignments (cont’d) State is an assignment of values to a set of state variables Type of a variable – boolean, scalar, user defined module, or array. Assignment to initial state: • init(value)!:=!FALSE;!Assignment to next state (transition relation) • next(value)!:=!value!xor!carry_in;!Assignment to current state (invariant) • carry_out!:=!value!&!carry_in;! Either init-next or invar should be used, but not both SMV is a parallel assignment language15 © 2011 Carnegie Mellon University Circular Definitions … are not allowed a!!!!!!!:=!next(b);!next(b)!:=!c;!c!!!!!!!:=!a;!init(a)!:=!0;!next(a)!:=!!b;!!init(b)!:=!1;!next(b)!:=!!a;!16 © 2011 Carnegie Mellon University Nondeterminism Completely unassigned variable model unconstrained input {val_1,!…,!val_n}!is an expression taking on any of the given values nondeterministically • next(b)!:=!{TRUE,!FALSE};! Nondeterministic choice can be used to: • Model an environment that is outside of the control of the system • Model an implementation that has not been refined yet • Abstract behavior17 © 2011 Carnegie Mellon University ASSIGN and DEFINE VAR!a:!boolean;!ASSIGN!a!:=!b!|!c;!• declares a new state variable a • becomes part of invariant relation DEFINE!d!:=!b!|!c;!• a macro definition, each occurrence of d is replaced by (b!|!c)!• no extra BDD variable is generated for d!• the BDD for (b!|!c) becomes part of each expression using d18 © 2011 Carnegie Mellon University SPEC Declaration Decl!!!!::!“SPEC”!ctlform!*Ctlform!::!!!expr!!!!!!!!!!!!!!!!!!!BB!bool!expression!!!!!!!!!!!!|!“!”!ctlform!!!!!!!!!!!!|!Ctlform!<op>!Ctlform!!!!!!!!!!!!|!“E”!Pathform!!!!!!!!!!!!|!“A”!Pathform!*Pathform!::!!“X”!Ctlform!!!!!!!!!!!!|!“F”!Ctlform!!!!!!!!!!!!|!“G”!Ctlform!!!!!!!!!!!!|!Ctlform!“U”!Ctlform!19 © 2011 Carnegie Mellon University Modules Modules can be instantiated many times, each instantiation creates a copy of the local variables Each program must have a module main Scoping • Variables declared outside a module can be passed as parameters Parameters are passed by reference.20 © 2011 Carnegie Mellon University Pass by reference 20 DEFINE!!!!!!a!:=!0;!VAR!!!!!b!:!bar(a);!…!MODULE!bar(x)!DEFINE!!!!!!a!:=!1;!!!!!!y!:=!x;!DEFINE!!!!!!a!!!:=!0;!!!!!b.y!:=!0;!!!!!b.a!:=!1;!21 © 2011 Carnegie Mellon University Pass by reference 21