Automated Reasoning Lecture 3: Tie NuSMV Model Checler Jacques - PowerPoint PPT Presentation

Automated Reasoning Lecture 3: Tie NuSMV Model Checler Jacques Fleuriot jdf@inf.ed.ac.uk

Recap ▶ Previously: ▶ Model Checking Introduction ▶ Linear Temporal Logic ▶ Tiis time: An implementation of LTL Model Checking ▶ NuSMV

NuSMV NuSMV is a symbolic model checker developed by ITC-IRST and UniTN with the collaboration of CMU and UniGE. http://nusmv.fbk.eu/ Tie NuSMV project aims at the development of a state-of-the-art model checker that: NuSMV is OpenSource ▶ is robust, open and customizable; ▶ can be applied in technology transfer projects; ▶ can be used as research tool in difgerent domains. ▶ developed by a distributed community, “Free Sofuware” license

NuSMV NuSMV provides: 1. A language for describing fjnite state models of systems 2. Model checking algorithms for checking specifjcations writuen in LTL and CTL (and some other logics) against fjnite state machines. ▶ Reasonably expressive ▶ Allows for modular construction of models

A fjrst SMV program MODULE main VAR b0 : boolean ASSIGN init(b0) := FALSE; next(b0) := !b0; An SMV program consists of: determine the state space of the model. ( init(b0) := FALSE ). ( next(b0) := !b0 ). ▶ Declarations of state variables ( b0 in the example); these ▶ Assignments that constrain the valid initial states ▶ Assignments that constrain the transition relation

Declaring state variables SMV data types include: boolean : x : boolean; enumeration : st : {ready, busy, waiting, stopped}; bounded integers (intervals) : n : 1..8; arrays and bit-vectors arr : array 0..3 of {red, green, blue}; bv : signed word[8];

Assignments initialisation : ASSIGN init(x) := expression ; progression : ASSIGN next(x) := expression ; immediate : ASSIGN y := expression ; or DEFINE y := expression ;

Assignments initialised non-deterministically; nondeterministically. i.e. it is unconstrained. inputs to the system. variable in terms of the current values of other variables. system. ▶ If no init() assignment is specifjed for a variable, then it is ▶ If no next() assignment is specifjed, then it evolves ▶ Unconstrained variables can be used to model nondeterministic ▶ Immediate assignments constrain the current value of a ▶ Immediate assignments can be used to model outputs of the

Expressions next value expr [ expr ] case _ expr binary operation set _ expr expr logical not ! expr variable identifjer id numeric constant number symbolic constant atom array lookup ::= | | | | expr ▷ ◁ expr | | next ( expr ) | | ◁ ∈ { & , | , + , - , * , / , = , != , < , <= , ... } where ▷

Case Expression case esac case _ expr ::= expr a1 : expr b1 ; . . . expr an : expr bn ; ▶ Guards are evaluated sequentially. ▶ Tie fjrst true guard determines the resulting value

Set expressions Expressions in SMV do not necessarily evaluate to one value. init(var) := {a,b,c} union {x,y,z} ; the set expression (rhs) ▶ In general, they can represent a set of possible values. ▶ destination (lhs) can take any value in the set represented by ▶ constant c is a syntactic abbreviation for singleton {c}

LTL Specifjcations LTLSPEC <ltl_expression> ; X_ F_ G_ _U_ LTLSPEC (out = 0) U (!reset) ▶ LTL properties are specifjed with the keyword LTLSPEC : ▶ <ltl_expression> can contain the temporal operators: ▶ E.g. condition out = 0 holds until reset becomes false:

ATM Example state = tryAgain & action = ack | G state = sorry LTLSPEC F( G state = thanksGoodbye esac; : state; TRUE : thanksGoodbye; state = enterPin & action = cancel : sorry; state = askAmount & action = problem : thanksGoodbye; state = askAmount & action = fundsOK : enterPin; : tryAgain; MODULE main state = enterPin & action = wrongPin state = enterPin & action = correctPin : askAmount ; : enterPin; state = welcome & action = cardIn next(state) := case init(state) := welcome; ASSIGN fundsOK, problem, none}; action: {cardIn, correctPin, wrongPin, ack, cancel, thanksGoodbye, sorry}; state: {welcome, enterPin, tryAgain, askAmount, VAR );

Running NuSMV Batci $ NuSMV atm.smv Interactive $ NuSMV -int atm.smv NuSMV > go NuSMV > check_ltlspec NuSMV > quit flatten_hierarchy , encode_variables , build_model . Manual. ▶ go abbreviates the sequence of commands read_model , ▶ For command options, use -h or look in the NuSMV User

Expected Failure state = welcome input = ack state = askAmount -> State: 1.3 <- -- Loop starts here input = correctPin state = enterPin -> State: 1.2 <- input = cardIn -> State: 1.1 <- NuSMV > check_ltlspec Trace Type: Counterexample Trace Description: LTL Counterexample -- as demonstrated by the following execution sequence is false G state = sorry) | F ( G state = thanksGoodbye -- specification -> State: 1.4 <-

Unexpected Failure -> State: 2.1 <- input = ack state = enterPin -> State: 2.2 <- -- Loop starts here input = cardIn state = welcome Trace Type: Counterexample -- specification Trace Description: LTL Counterexample -- as demonstrated by the following execution sequence is false G state = sorry)) F ( G state = thanksGoodbye | ( F ( G !(state = askAmount)) -> -> State: 2.3 <-

Success -- specification ( G (((state = welcome -> F input = cardIn) & (state = enterPin -> F (state = enterPin & (input = correctPin | input = cancel)))) & (state = askAmount -> F (input = fundsOK | input = problem))) -> F ( G state = thanksGoodbye | G state = sorry)) is true

Modules MODULE counter module in which it has been instantiated via the dot notation the top-most module. performed inside the VAR declaration of the parent module. sum := c0.digit + 10 * c1.digit; ASSIGN sum : 0..99; c1 : counter; VAR c0 : counter; MODULE main next(digit) := (digit + 1) mod 10; init(digit) := 0; ASSIGN VAR digit : 0..9; (e.g., c0.digit , c1.digit ). ▶ Modules are instantiated in other modules. Tie instantiation is ▶ In each SMV specifjcation there must be a module main. It is ▶ All the variables declared in a module instance are visible in the

Modules MODULE counter VAR digit : 0..9; ASSIGN init(digit) := 0; next(digit) := (digit + 1) mod 10; MODULE main VAR c0 : counter; c1 : counter; sum : 0..99; ASSIGN sum := c0.digit + 10 * c1.digit; LTLSPEC F sum = 13; ▶ Is this specifjcation satisfjed by this model?

-- specification -> State: 1.2 <- sum = 22 c1.digit = 2 c0.digit = 2 -> State: 1.3 <- sum = 11 c1.digit = 1 c0.digit = 1 sum = 0 F sum = 13 c1.digit = 0 c0.digit = 0 -> State: 1.1 <- -- Loop starts here Trace Type: Counterexample Trace Description: LTL Counterexample -- as demonstrated by the following execution sequence is false ...

Modules with parameters MODULE counter(inc) parameters ( TRUE , c0.top ) when the module is instantiated. sum := c0.digit + 10 * c1.digit; ASSIGN sum : 0..99; c1 : counter(c0.top); VAR c0 : counter(TRUE); MODULE main DEFINE top := digit = 9; : digit; next(digit) := inc ? (digit + 1) mod 10 init(digit) := 0; ASSIGN VAR digit : 0..9; ▶ Formal parameters (inc) are substituted with the actual ▶ Actual parameters can be any legal expression. ▶ Actual parameters are passed by reference.

-- specification F sum = 13 is true

Summary http://nusmv.fbk.eu/NuSMV/tutorial/v26/tutorial.pdf ▶ Introduction to NuSMV ▶ H&R Section 3.3 ▶ NuSMV Tutorial: ▶ NuSMV Start-up Guide on FV Web Page ▶ Next time: ▶ Introduction to the practical exercise.