NuSMV-tutorial

A Simple Tutorial on NuSMV

Chenyi Zhang

March 28, 2007 For a comprehensive tutorial, please visit the site http://nusmv.irst.itc.it/

NuSMV-tutorial

Introduction History
SMV is the rst BDD-based symbolic model checker NuSMV is a re-implementation and extension of SMV by ITC-IRST, UniTN, CMU and UniGE, now its on version 2.4.1 Extensions: LTL, Simulation, SAT etc. OpenSource Licensing In CSE available @ czhang/nusmv, you may create a link to this le by resetting your $PATH and then export

NuSMV-tutorial

An Overview of the Modeling Language

Recall that Model Checking is: M |= In NuSMV: The system M is a Kripke Structure dened by state variables of the types: boolean, enumerate, bounded integer and array And transitions in assignment style or constraint style (more in later slides) The specication in CTL formula, LTL formula or as an invariant May also assume fairness

NuSMV-tutorial

A Hello World Example

MODULE main VAR b0 : boolean; ASSIGN init(b0) := 0; next(b0) := !b0;

!b0 0

b0 1

NuSMV-tutorial

Declaring State Variables

State variables determine the size of the Kripke structure Available types: bool, enumerative, bounded integers VAR x: boolean; state: {ready, busy, waiting}; num: 1..8;

NuSMV-tutorial

Another Example
MODULE main VAR b0 : boolean; b1 : boolean;

ASSIGN init(b0) := 0; next(b0) := !b0;

!b0 /!b1

b0 /!b1

!b0 /b1

b0 /b1

NuSMV-tutorial

Expressions
Arithmetic operators: +, , , /, mod, (unary) Comparison operators: =, ! =, >, <, <=, >= Logic operators: &, |, xor, !, >, < > Set operators: {v1 , v2 , . . . vn }, in, union Conditional Expression: variable := case c1 : e1 ; c2 : e2 ; . . . 1: en ; esac

NuSMV-tutorial

Syntax for ASSIGN statements

The expression must evaluate to values in the domain of variable next expression depends on current and next if no next() assignment is specied for a variable, then the variable evolves nondeterministically (i.e., its unconstrained) init(<variable>) := <simple_expression>; next(<variable>) := <next_expression>;

NuSMV-tutorial

The DEFINE Declaration

MODULE main VAR b0 : boolean; b1 : boolean; b2 : boolean; ASSIGN init(b0) := 0; ... DEFINE out := b0 + 2*b1 + 4*b2; done := b0 & b1 & b2; There is no VAR denitions like out : 0..7; done : boolean; No new state variable is created (hence, no added complexity)

NuSMV-tutorial

10

Arrays
The SMV language provides also the possibility to dene arrays. VAR x : array 0..10 of boolean; y : array 2..4 of 0..10; ASSIGN init(x[5]) := 1; init(y[2]) := {0,2,4,6,8,10}; Array indexes in SMV must be constants.

NuSMV-tutorial

11

Restrictions on the ASSIGN statements

Double assignments rule each variable may be assigned only once - but can assign more than one value at once (nondeterminism) - eg. next(num) := {1, 2}; Circular dependencies rule a variable can not have cycles in its dependency graph that are not broken by delays

NuSMV-tutorial

12

Examples: which are illegal?

init(status) := ready; init(status) := busy; init(status) := {ready, busy}; x := (y + 1) mod 2; y := (x + 1) mod 2; next(x) := x & next(y); next(y) := y & next(x); next(x) := x & next(y);

NuSMV-tutorial

13

Examples Cont.
init(status) := ready; (double assignments) init(status) := busy; init(status) := {ready, busy}; (ok) x := (y + 1) mod 2; (circular dependencies) y := (x + 1) mod 2; next(x) := x & next(y); (circular dependencies) next(y) := y & next(x); next(x) := x & next(y); (ok, no circles)

NuSMV-tutorial

14

Modules
An SMV program can consist of one or more module declarations. MODULE mod VAR out: 0..9; ASSIGN next(out) := (out+1) mod 10 main m1 m2 MODULE main VAR m1 : mod; m2 : mod; sum: 0..18; ASSIGN sum := m1.out + m2.out;

NuSMV-tutorial

15

More Modules
Modules are instantiated in other modules. The instantiation is performed inside the VAR declaration of the parent module. In each SMV specication there must be a module main. It is the top-most module. All the variables declared in a module instance are visible in the module in which it has been instantiated via the dot notation (eg., m1.out, m2.out). MODULE mod(in) VAR out: 0..9; ... MODULE main VAR m1 : mod(m2.out); m2 : mod(m1.out); ...

NuSMV-tutorial

16

Specications
Specications can be added in any module of the program Each property is verifed separately Dierent kinds of properties are allowed: On reachable states: INVARSPEC On the computation paths (LTL): LTLSPEC Qualitative characteristic of models: COMPUTE Branching time (CTL): SPEC Bounded CTL: SPEC

NuSMV-tutorial

17

Syntax for Specications

INVARSPEC simple expression Example: INVARSPEC (m1.crit -> !m2.crit)&(m2.crit -> !m1.crit) LTLSPEC ltl expression Example: LTLSPEC F out = 3 Temporal operators: X F G SPEC ctl expression Temporal operators: AX and also: EX EF EG AF AG E[ U ]

U A[ U ]

Bounded CTL: SPEC ABF 0..2 out = 3 which says out = 3 is reachable in 2 steps

NuSMV-tutorial

18

Fairness Constraints
NuSMV allows to specify fairness cosntraints Fairness constraints are formulas which are assumed to be true innitely often in all the execution paths of interest During the verication of properties, NuSMV considers path quantiers to apply only to fair paths Syntax: FAIRNESS simple expression Example: FAIRNESS out = 3

NuSMV-tutorial

19

The Constraint Style

MODULE main VAR request : boolean; state : {ready,busy}; ASSIGN init(state) := ready; next(state) := case state = ready & request : busy; 1 : {ready,busy}; This program can be alternatively dened in a constraint style. MODULE main VAR request : boolean; state : {ready,busy}; INIT state = ready TRANS (state = ready & request) -> next(state) = busy

NuSMV-tutorial

20

Assignments vs Constraints
Any ASSIGN-based specication can be easily rewritten as an equivalent constraint-based specication, but the converse might be hard In assignment style, there is always at least one initial state, and all states have at least one next state by construction In constraint style, INIT constraints can be inconsistent (eg. INIT p& !p), then any specication is vacuously true TRANS constraints can be inconsistent in the sense that the transition relation is not total (there are deadlock states), and NuSMV detects and reports this case. In assignment style, nondeterminism is apparent (unassigned variables, set assignments . . . ), but in constraint style nondeterminism is hidden in the constraints.

NuSMV-tutorial

21

Demo: A simple print server

ready/!req

busy/!req

ready/req

busy/req

NuSMV-tutorial

22

Synchronous Composition
MODULE cell(input) VAR val: {red, green}; ASSIGN next(val):={val, input}; MODULE main VAR c1: cell(c2.val); c2: cell(c1.val);

By default, composition of modules is synchronous. step c1.val c2.val 0 Here is a possible execution: 1 2 3 ... red green green green ... green red green green ...

NuSMV-tutorial

23

Asynchronous Composition
Asynchronous composition can be obtained by using keyword process. In asynchronous composition one process moves at each step. Boolean variable running is dened in each process: it is true when that process is selected it can be used to guarantee a fair scheduling of processes. MODULE cell(input) VAR val: {red, green, blue}; ASSIGN next(val):={val, input}; FAIRNESS running MODULE main VAR c1: process cell(c2.val); c2: process cell(c3.val); c3: process cell(c1.val);

NuSMV-tutorial

24

A Possible Asynchronous Run

step 0 1 2 3 4 ... c1.val red red green green green ... c2.val green green green blue blue ... c3.val blue blue blue blue green ...

NuSMV-tutorial

25

Questions

NuSMV-tutorial

26

Other Issues
1. Consultation: when (?) and where (CSE level 2) 2. Ask questions on the course forum