Slide 1Slide 2Symbolic Model Verifier (SMV)A Sample SMV Program (short.smv)A Three-Bit CounterSlide 6Inverter RingFairnessCan A TRUE Result of Model Checker be TrustedVacuity Detection: Single OccurrenceDetecting Vacuity in Multiple Occurrences: ACTLRun NuSMVUsing NuSMV in Interactive ModeUseful LinksToday: 3 ExamplesExample 1: Mutual ExclusionSlide 17OverviewBasic IdeaExampleExampleExampleExampleExampleExampleExampleExampleSMV ModelSMV ModelSMV ModelSMV ModelPropertiesPropertiesSlide 34OutlineSlide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Let’s Model all of this in NuSMVSlide 44Slide 45Properties 1/2Properties 2/2Slide 48Slide 49Fairness ConstraintsImplementations…Some more variablestraffic1.smv: main moduletraffic1.smv: North module 1/2traffic1.smv: North module 2/2Slide 56Mutual Exclusion CEXtraffic1.smv: North module 1/2traffic2.smv: fixModel checking traffic2.smvCEX for Liveness is a Fair CycleAdd ‘Turn’ to Ensure Livenesstraffic3.smv: Adding TurnModel check again…traffic4.smvtraffic4.smv: North ModuleHurray!Possible extensions© 2011 Carnegie Mellon UniversityIntroduction to SMVPart 2Arie Gurfinkel (SEI/CMU)based on material by Prof. Clarke and others© 2011 Carnegie Mellon UniversityBrief Review3© 2011 Carnegie Mellon University2/18/20053Symbolic Model Verifier (SMV)Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem, 1993.Finite-state Systems described in a specialized languageSpecifications given as CTL formulas Internal representation using ROBDDsAutomatically verifies specification or produces a counterexample4© 2011 Carnegie Mellon University2/18/20054A Sample SMV Program (short.smv)MODULE mainVAR request: boolean; state: {ready, busy};ASSIGN init(state) := ready; next(state) := case state=ready & request: busy; TRUE : {ready, busy};esac;SPEC AG(request -> AF (state = busy))MODULE mainVAR request: boolean; state: {ready, busy};ASSIGN init(state) := ready; next(state) := case state=ready & request: busy; TRUE : {ready, busy};esac;SPEC AG(request -> AF (state = busy))5© 2011 Carnegie Mellon UniversityA Three-Bit CounterMODULE mainVAR bit0 : counter_cell(TRUE); bit1 : counter_cell(bit0.carry_out); bit2 : counter_cell(bit1.carry_out);SPEC AG AF bit2.carry_outMODULE counter_cell(carry_in)VAR value : boolean;ASSIGN init(value) := FALSE; next(value) := value xor carry_in;DEFINE carry_out := value & carry_in;MODULE mainVAR bit0 : counter_cell(TRUE); bit1 : counter_cell(bit0.carry_out); bit2 : counter_cell(bit1.carry_out);SPEC AG AF bit2.carry_outMODULE counter_cell(carry_in)VAR value : boolean;ASSIGN init(value) := FALSE; next(value) := value xor carry_in;DEFINE carry_out := value & carry_in;value + carry_in mod 2value + carry_in mod 26© 2011 Carnegie Mellon Universityinoutvalinoutinoutinoutvalvalvalmodule instantiationsbit0bit1bit2module declaration7© 2011 Carnegie Mellon UniversityInverter RingMODULE mainVAR gate1 : process inverter(gate3.output); gate2 : process inverter(gate1.output); gate3 : process inverter(gate2.output);SPEC (AG AF gate1.output) & (AG AF !gate1.output)MODULE inverter(input)VAR output : boolean;ASSIGN init(output) := FALSE; next(output) := !input;FAIRNESS runningMODULE mainVAR gate1 : process inverter(gate3.output); gate2 : process inverter(gate1.output); gate3 : process inverter(gate2.output);SPEC (AG AF gate1.output) & (AG AF !gate1.output)MODULE inverter(input)VAR output : boolean;ASSIGN init(output) := FALSE; next(output) := !input;FAIRNESS running8© 2011 Carnegie Mellon UniversityFairness•Assumed to be true infinitely often•Model checker only explores paths satisfying fairness constraint•Each fairness constraint must be true infinitely oftenIf there are no fair paths•All existential formulas are false•All universal formulas are trueFAIRNESS CtlformFAIRNESS CtlformFAIRNESS runningFAIRNESS running9© 2011 Carnegie Mellon UniversityCan A TRUE Result of Model Checker be TrustedAntecedent Failure [Beatty & Bryant 1994]•A temporal formula AG (p ⇒ q) suffers an antecedent failure in model M iff M ⊧ AG (p ⇒ q) AND M ⊧ AG (p) Vacuity [Beer et al. 1997]•A temporal formula  is satisfied vacuously by M iff there exists a sub-formula p of  such that M ⊧ [p←q] for every other formula q•e.g., M ⊧ AG (r ⇒ AF a) and M ⊧ AG (r ⇒ AF a) and AG (r ⇒ AF r) and AG (r ⇒ AF FALSE), …10© 2011 Carnegie Mellon UniversityVacuity Detection: Single Occurrence is vacuous in M iff there exists an occurrence of a subformula p such that •M ⊧ [p ← TRUE] and M ⊧ [p ← FALSE]M ⊧ AG (req ⇒ AF TRUE)M ⊧ AG TRUEM AG (req AF FALSE)⊧ ⇒M AG ⊧ reqM ⊧ AG (TRUE ⇒ AF ack)M ⊧ AG AF ackM AG (FALSE AF ack)⊧ ⇒M AG TRUE⊧11© 2011 Carnegie Mellon UniversityDetecting Vacuity in Multiple Occurrences: ACTLAn ACTL  is vacuous in M iff there exists an a subformula p such that •M ⊧ [p ← x] , where x is a non-deterministic variableIs AG (req ⇒ AF req) vacuous? Should it be?Is AG (req ⇒ AX req) vacuous? Should it be?Always vacuous!!!Always vacuous!!!M ⊧ AG (x ⇒ AF x)M ⊧ AG TRUECan be vacuous!!!Can be vacuous!!!M ⊧ AG (x ⇒ AX x)can’t reduce12© 2011 Carnegie Mellon UniversityRun NuSMVNuSMV [options] inputfile•-int interactive mode•-lp list all properties•-n X check property number X•-ctt check totality of transition relation•-old compatibility mode•-ofm file output flattened model13© 2011 Carnegie Mellon UniversityUsing NuSMV in Interactive ModeBasic Usage•go–prepare model for verification •check_ctlspec–verify propertiesSimulation•pick_state [-i] [-r]–pick initial state for simulation [interactively] or [randomly]•simulate [-i] [r] s–simulate the model for ‘s’ steps [interactively] or [randomly]•show_traces–show active traces14© 2011 Carnegie Mellon UniversityUseful LinksNuSMV home page•http://nusmv.fbk.eu/NuSMV tutorial•http://nusmv.fbk.eu/NuSMV/tutorial/v25/tutorial.pdfNuSMV user manual•http://nusmv.fbk.eu/NuSMV/userman/v25/nusmv.pdfNuSMV FAQ•http://nusmv.fbk.eu/faq.htmlNuSMV on Andrew•/afs/andrew.cmu.edu/usr6/soonhok/public/NuSMV-zchaff-2.5.3-x86_64-redhat-linux-gnu/NuSMV examples•<NuSMV>/share/nusmv/examplesKen McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem, 1993•http://www.kenmcmil.com/pubs/thesis.pdf15© 2011 Carnegie Mellon UniversityToday: 3