2/18/2005 1

Introduction to SMV

2/18/2005 2

Symbolic Model Verifier Ken McMillan, Symbolic Model

Checking: An Approach to the State Explosion Problem, 1993.

Finite-state Systems described in a specialized language

Specifications given as CTL formulas Internal representation using OBDDs Automatically verifies specification or

produces a counterexample

2/18/2005 3

Overview of SMV

SMV Input Language

Finite State Kripke Structure

Specification – CTL Formula

OBDD based Symbolic Model Checking

Yes

No

CounterExample

Backend

2/18/2005 4

Language Characteristics Allows description of completely

synchronous to asynchronous systems, detailed to abstract systems

Modularized and hierarchical descriptions

Finite data types: Boolean and enumerated

2/18/2005 5

Language Characteristics (cont..)

Parallel-assignment syntax

Non-determinism

2/18/2005 6

A Sample SMV Program

MODULE mainVAR request: boolean; state: {ready, busy};ASSIGN init(state) := ready; next(state) :=

casestate=ready & request: busy;1: {ready, busy};

esac;SPEC AG(request -> AF (state = busy))

2/18/2005 7

SMV Syntax - ExpressionsExpr :: atom ;; symbolic constant | number ;; numeric constant | id ;; variable identifier | “!” expr ;; logical not | expr1 <op> expr2 | “next” “(“ id “)” ;; next value | case_expr | set_expr

2/18/2005 8

The Case ExpressionCase_expr :: “case” expr_a1 “:” expr_b2 “;” … expr_an “:” expr_bn “;” “esac” Guards are evaluated sequentially. The first one that is true determines the

resulting value If none of the guards are true, result is

numeric value 1

2/18/2005 9

State Variables

Decl :: “VAR” atom1 “:” type1 “;” atom2 “:” type2 “;” … State is an assignment of values to

a set of state variables Type of a variable – boolean, scalar,

user defined module, or array.

2/18/2005 10

ASSIGN declaration

Decl :: “ASSIGN” dest1 “:=“ expr1 “;” dest2 “:=“ expr2 “;” …Dest :: atom | “init” “(“ atom “)” | “next” “(“ atom “)”

2/18/2005 11

Variable Assignments

Assignment to initial state: init(value) := 0;

Assignment to next state (transition relation)next(value) := value + carry_in mod 2;

Assignment to current state (invariant)carry_out := value & carry_in;

Either init-next or invar should be used, but not both

SMV is a parallel assignment language

2/18/2005 12

Circular definitions … are not allowed! This is illegal:

a := next(b);next(b) := c;c := a;

This is o.k. init(a) := 0;

next(a) := !b;

init(b) := 1;next(b) := !a;

2/18/2005 13

Nondeterminism

Completely unassigned variable can model unconstrained input.

{val_1, …, val_n} is an expression taking on any of the given values nondeterministically.

Nondeterministic choice can be used to: Model an implementation that has not been

refined yet Abstract behavior

2/18/2005 14

ASSIGN and DEFINE

VAR a: boolean;ASSIGN a := b | c; declares a new state variable a becomes part of invariant relation

DEFINE d:= b | c; is effectively a macro definition, each

occurrence of d is replaced by b | c no extra BDD variable is generated for d the BDD for b | c becomes part of each

expression using d

2/18/2005 15

SPEC declaration Decl :: “SPEC” ctlform Ctlform :: expr ;; bool expression | “!” ctlform | ctlform1 <op> ctlform2 | “E” pathform | “A” pathform Pathform :: “X” ctlform | “F” ctlform | “G” ctlform | ctlform1 “U” ctlform2

2/18/2005 16

Modules and Hierarchy

Modules can be instantiated many times, each instantiation creates a copy of the local variables

Each program has a module main

Scoping Variables declared outside a module can be

passed as parameters

Parameters are passed by reference.

2/18/2005 17

Pass by referenceDEFINE a := 0;VAR b : bar(a);…MODULE bar(x)DEFINE a := 1; y := x;

2/18/2005 18

Pass by reference

…VAR a : boolean; b : foo(a);…MODULE foo(x)ASSIGN x:=1;

2/18/2005 19

MODULE mainVAR

bit0 : counter_cell(1);bit1 : counter_cell(bit0.carry_out);

bit2 : counter_cell(bit1.carry_out);SPEC AG AF bit2.carry_out

MODULE counter_cell(carry_in)VAR value : boolean;ASSIGN init(value) := 0; next(value) := value + carry_in mod 2;DEFINE carry_out := value & carry_in;

2/18/2005 20

Module Composition

Synchronous composition All assignments are executed in parallel and

synchronously. A single step of the resulting model

corresponds to a step in each of the components.

Asynchronous composition A step of the composition is a step by exactly

one process. Variables, not assigned in that process, are left

unchanged.

2/18/2005 21

Asynchronous Composition

MODULE mainVAR

gate1: process inverter(gate3.output);gate2: process inverter(gate1.output);gate3: process inverter(gate2.output);

SPEC (AG AF gate1.output) & (AG AF !gate1.output)

MODULE inverter(input)VAR output: boolean;ASSIGN init(output) := 0; next(output) := !input;

2/18/2005 22

Fairness FAIRNESS ctl_formulae

Assumed to be true infinitely often Model checker only explores paths satisfying

fairness constraint Each fairness constraint must be true infinitely

often

If there are no fair paths All existential formulas are false All universal formulas are true

FAIRNESS running

2/18/2005 23

With Fairness..MODULE mainVAR

gate1: process inverter(gate3.output);gate2: process inverter(gate1.output);gate3: process inverter(gate2.output);

SPEC (AG AF gate1.output) & (AG AF !gate1.output)

MODULE inverter(input)VAR output: boolean;ASSIGN init(output) := 0; next(output) := !input;

FAIRNESS running

2/18/2005 24

Counter revisited

MODULE mainVAR count_enable : boolean; bit0 : counter_cell(count_enable); bit1 : counter_cell(bit0.carr_out); bit2 : counter_cell(bit1.carry_out);SPEC AG AF bit2.carry_outFAIRNESS count_enable

2/18/2005 25

Synchronous vs Asynchronous• In Asynchronous process, need not

combine transition relation of each process

• Complexity of representing set of states reachable in n steps higher in asynchronous processes occassionally due to higher number of interleavings

2/18/2005 26

Implicit Modelling TRANS - boolean valued expr

restricting transition relation of system

INIT - boolean valued expression giving initial states

INVAR - boolean valued expression restricting set of all states of model

2/18/2005 27

Implicit Modelling ExampleMODULE mainVAR gate1 : inverter(gate3.output); gate2 : inverter(gate1.output); gate3 : inverter(gate2.output);SPEC (AG AF gate1.out) & (AG AF !gate1.out)

MODULE inverter(input)VAR Output : boolean;INIT output = 0;TRANS next(output) = !input | next(output) = output

2/18/2005 28

TRANS

Advantages• Group assignments to different variables• Good for modelling guarded commands

Disadvantages• Logical absurdities can lead to

unimplementable descriptions

2/18/2005 29

Shared Data ExampleTwo Users assign pid to shared data in turnMODULE mainVAR data : boolean; turn : boolean; user0 : user(0, data, turn); user1 : user(1, data, turn);ASSIGN next(turn) := !turn;SPEC AG (AF data & AF (!data))

2/18/2005 30

Shared data example (cont..)Using ASSIGN and CASE statement won’t

work(constraining sema all the time)MODULE user(pid, data, turn)ASSIGN next(data) := case turn: pid; 1 : data; esac;

Line 3: multiple assignment: next(data)

2/18/2005 31

Using TRANS

TRANS useful for changing shared data in synchronous system between modules.

MODULE user(pid, turn, data)TRANS turn -> next(data) = pid

2/18/2005 32

Guarded CommandsGuard1 : action1Guard2 : action2.. Otherwise nop

TRANS (guard1 & action1)|(guard2 & action2)|…(!guard1 & !guard2 & … & “nop”)

2/18/2005 33

TRANS Pitfall

True -> next(b) = 0 &True -> next(b) = 1 & …

Results in an empty transition relation

2/18/2005 34

TRANS Guidelines Try using ASSIGN instead Write in a disjunction of conjunction

format Try covering all cases Try make guards disjoint

2/18/2005 35

SMV Steps Read_Model : read model from input smv

file Flatten_hierarchy : instantiate modules

and processes Build_model : compile the model into

BDDs (initial state, invar, transition relation)

Check_spec : checking specification bottom up

2/18/2005 36

Run SMV smv [options] inputfile

-c cache-size for BDD operations -k key-table-size for BDD nodes -v verbose -int interactive mode -r

prints out statistics about reachable state space

2/18/2005 37

SMV Options –f

computes set of reachable states first Model checking algorithm traverses

only the set of reachable states instead of complete state space.

useful if reachable state space is a small fraction of total state space

2/18/2005 38

SMV Options: Reordering vars Variable reordering is crucial for small BDD sizes

and speed.

Generally, variables which are related need to be close in the ordering.

–i filename –o filename Input, output BDD variable ordering to given file.

-reorder Invokes automatic variable reordering

2/18/2005 39

SMV Options: Transition relation

smv -cp part_limit

Conjunctive Partitioning: Transition relation not evaluated as a whole, instead individual next() assignments are grouped into partitions that do not exceed part_limit

Uses less memory and benefits from early quantification

2/18/2005 40

SMV options: -inc Perform incremental evaluation of

the transition relation At each step in forward search,

transition relation restriced to reached state set

Cuts down on size of transition relation with overhead of extra computation

2/18/2005 41

Example: Client & ServerMODULE client (ack)VAR state : {idle, requesting}; req : boolean;

ASSIGN init(state) := idle; next(state) := case state=idle : {idle, requesting}; state=requesting & ack : {idle, requesting}; 1 : state; esac;

req := (state=requesting);

2/18/2005 42

MODULE server (req)

VAR state : {idle, pending, acking}; ack : boolean;

ASSIGN next(state) := case state=idle & req : pending; state=pending : {pending, acking}; state=acking & req : pending; state=acking & !req : idle; 1 : state; esac;

ack := (state = acking);

2/18/2005 43

Is the specification true?MODULE mainVAR c : client(s.ack); s : server(c.req);

SPEC AG (c.req -> AF s.ack)

Need fairness constraint: Suggestion:

FAIRNESS s.ack Why is this bad? Solution:

FAIRNESS (c.req -> s.ack)

2/18/2005 44

NuSMV Specifications expressible in CTL, LTL and

Real time CTL logics Provides both BDD and SAT based model

checking. Uses a number of heuristics for achieving

efficiency and control state explosion Higher number of features in interactive

mode

2/18/2005 45

Cadence SMV Provides “compositional

techniques” to verify large complex systems by decomposition to smaller problems.

Provides a variety of techniques for refinement verification, symmetry reductions, uninterpreted functions, data type reductions.

2/18/2005 46

Useful Links

SMV sources, binaries and manualshttp://www.cs.cmu.edu/~modelcheck/smv.html

SMV man page http://www.cs.cmu.edu/~dongw/smv.txt

SMV manualhttp://www.cs.cmu.edu/~modelcheck/smv/smvmanual.ps

Tutorial on verification techniques using Cadence SMVhttp://www-cad.eecs.berkeley.edu/~kenmcmil/tutorial.ps

SMV Input Language documentationhttp://www-cad.eecs.berkeley.edu/~kenmcmil/psdoc.html

2/18/2005 47

Downloads SMVwww.cs.cmu.edu/~modelcheck/smv.html NuSMVhttp://nusmv.irst.itc.it/ Cadence SMVhttp://wwwcad.eecs.berkeley.edu/~kenmcmil/smv