Lecture 4: Checking properties in NuSMV B. Srivathsan Chennai - - PowerPoint PPT Presentation
Lecture 4: Checking properties in NuSMV B. Srivathsan Chennai Mathematical Institute Model Checking and Systems Verification January - April 2016 1 / 43 Outline Module 1: Synchronous Vs Asynchronous composition Module 2: More examples
Model Checking and Systems Verification January - April 2016
1/43
◮ Module 1: Synchronous Vs Asynchronous composition ◮ Module 2: More examples of NuSMV models and
◮ Module 3: A problem in concurrency ◮ Module 4: What is a property?
2/43
3/43
Acknowledgements: Content in this part of module taken from lecture slides of
4/43
L2 L1
L2.red
L1
L1.red
L2
5/43
L2 L1
L2.red
L1
L1.red
L2 If a light is red, it can stay red for an arbitrary period If it goes yellow, it should become green within one cycle If it is green, it can stay green for an arbitrary period
5/43
6/43
6/43
7/43
7/43
8/43
9/43
9/43
◮ Synchronous:
◮ all assignments to all modules made simultaneously ◮ suitable when all modules are synchronized to a global
◮ Asynchronous:
◮ execution of modules is interleaved ◮ at a time, only one module executes ◮ choice of next module to be executed is
◮ suitable when no assumptions can be made about
10/43
11/43
12/43
SHARED RESOURCE
(variable, printer, ...) Mutual Exclusion: No two processes can access the resource simultaneously
13/43
loop forever
request critical section release
end loop *non-critical actions* *non-critical actions*
P1
loop forever
request critical section release
end loop *non-critical actions* *non-critical actions*
P2
14/43
loop forever
request critical section release
end loop *non-critical actions* *non-critical actions*
P1 PG1
noncrit1 wait1 crit1 loop forever
request critical section release
end loop *non-critical actions* *non-critical actions*
P2 PG2
noncrit2 wait2 crit2
14/43
loop forever
critical section
end loop *non-critical actions* *non-critical actions*
*request* *release*
〈 if y>0: y:=y-1 〉 y:=y+1
P1 PG1
noncrit1 wait1 crit1 y>0:y:=y-1 y:= y+1 loop forever
critical section
end loop *non-critical actions* *non-critical actions*
*request* *release*
〈 if y>0: y:=y-1 〉 y:=y+1
P2 PG2
noncrit2 wait2 crit2 y>0:y:=y-1 y:= y+1
14/43
loop forever
critical section
end loop *non-critical actions* *non-critical actions*
*request* *release*
〈 if y>0: y:=y-1 〉 y:=y+1
P1 PG1
noncrit1 wait1 crit1 y>0:y:=y-1 y:= y+1 loop forever
critical section
end loop *non-critical actions* *non-critical actions*
*request* *release*
〈 if y>0: y:=y-1 〉 y:=y+1
P2 PG2
noncrit2 wait2 crit2 y>0:y:=y-1 y:= y+1
atomic
14/43
loop forever
critical section
end loop *non-critical actions* *non-critical actions*
*request* *release*
〈 if y>0: y:=y-1 〉 y:=y+1
P1 PG1
noncrit1 wait1 crit1 y>0:y:=y-1 y:= y+1 loop forever
critical section
end loop *non-critical actions* *non-critical actions*
*request* *release*
〈 if y>0: y:=y-1 〉 y:=y+1
P2 PG2
noncrit2 wait2 crit2 y>0:y:=y-1 y:= y+1
atomic NuSMV demo: mutex-demo.smv
14/43
15/43
non-crit wait crit exiting y>0:y:=y-1 y:=y+1
PG1
non-crit wait crit exiting y>0:y:=y-1 y:=y+1
PG2
16/43
non-crit wait crit exiting y>0:y:=y-1 y:=y+1
PG1
non-crit wait crit exiting y>0:y:=y-1 y:=y+1
PG2 NuSMV demo: mutex-demo1.smv
16/43
17/43
while x < 200 x := x+1
l1 l2 x < 200 x := x+1
while x>0 x := x-1
m1 m2 x > 0 x:=x-1
while x=200 x := 0
n1 n2 x = 200 x:=0
18/43
while x < 200 x := x+1
l1 l2 x < 200 x := x+1
while x>0 x := x-1
m1 m2 x > 0 x:=x-1
while x=200 x := 0
n1 n2 x = 200 x:=0
NuSMV demo: three-program-demo.smv
18/43
19/43
20/43
P0 ... P3 : processes S0 ... S3 : resources P0 P1 P2 P3 S0 S1 S3 S2
21/43
P0 ... P3 : processes S0 ... S3 : resources Process Pi can execute
it has access to resources S(i−1) and Si P0 P1 P2 P3 S0 S1 S3 S2
21/43
P0 ... P3 : processes S0 ... S3 : resources Process Pi can execute
it has access to resources S(i−1) mod 4 and Si mod 4 P0 P1 P2 P3 S0 S1 S3 S2
21/43
P0 ... P3 : processes S0 ... S3 : resources Process Pi can execute
it has access to resources S(i−1) mod 4 and Si mod 4 P0 P1 P2 P3 S0 S1 S3 S2 How should the processes be scheduled so that every process can execute infinitely often?
21/43
P0 ... P3 : philosophers S0 ... S3 : chop-sticks Philosopher Pi can eat
he has access to chop-sticks S(i−1) mod 4 and Si mod 4 P0 P1 P2 P3 S0 S1 S3 S2
22/43
P0 ... P3 : philosophers S0 ... S3 : chop-sticks Philosopher Pi can eat
he has access to chop-sticks S(i−1) mod 4 and Si mod 4 P0 P1 P2 P3 S0 S1 S3 S2 What should the protocol be so that every philosopher can eat infinitely
22/43
23/43
Philosopher i
think req_left req_right have_left have_right eat return sticks[i]=free sticks[i]:=i sticks[i-1]=free sticks[i-1]:=i sticks[i-1]=free sticks[i-1]:=i sticks[i]=free sticks[i]:=i sticks[i]=free sticks[i-1]=free
24/43
Philosopher i
think req_left req_right have_left have_right eat return sticks[i]=free sticks[i]:=i sticks[i-1]=free sticks[i-1]:=i sticks[i-1]=free sticks[i-1]:=i sticks[i]=free sticks[i]:=i sticks[i]=free sticks[i-1]=free
NuSMV demo
24/43
〈 think, think, think, think 〉 〈 have_left, have_left, have_left, have_left 〉 1 2 3
Sticks
25/43
26/43
◮ Next module: Attach a mathematical meaning to properties
26/43
◮ Next module: Attach a mathematical meaning to properties ◮ Next lecture: Classification of properties into various types
26/43
◮ Next module: Attach a mathematical meaning to properties ◮ Next lecture: Classification of properties into various types ◮ Next lecture: Answer to the above question
26/43
27/43
28/43
request=1 ready request=1 busy request=0 ready request=0 busy MODULE main VAR request: boolean; status: {ready, busy} ASSIGN init(status) := ready; next(status) := case request : busy; TRUE : {ready,busy}; esac;
29/43
request=1 ready request=1 busy request=0 ready request=0 busy MODULE main VAR request: boolean; status: {ready, busy} ASSIGN init(status) := ready; next(status) := case request : busy; TRUE : {ready,busy}; esac;
29/43
request=1 ready request=1 busy request=0 ready request=0 busy MODULE main VAR request: boolean; status: {ready, busy} ASSIGN init(status) := ready; next(status) := case request : busy; TRUE : {ready,busy}; esac;
29/43
{ p1 }
request=1 ready request=1 busy request=0 ready request=0 busy MODULE main VAR request: boolean; status: {ready, busy} ASSIGN init(status) := ready; next(status) := case request : busy; TRUE : {ready,busy}; esac;
29/43
{ p1 } { p1,p2 }
request=1 ready request=1 busy request=0 ready request=0 busy MODULE main VAR request: boolean; status: {ready, busy} ASSIGN init(status) := ready; next(status) := case request : busy; TRUE : {ready,busy}; esac;
29/43
{ p1 } { p1,p2 } { p2 }
request=1 ready request=1 busy request=0 ready request=0 busy MODULE main VAR request: boolean; status: {ready, busy} ASSIGN init(status) := ready; next(status) := case request : busy; TRUE : {ready,busy}; esac;
29/43
{ p1 } { p1,p2 } { p2 } {}
request=1 ready request=1 busy request=0 ready request=0 busy MODULE main VAR request: boolean; status: {ready, busy} ASSIGN init(status) := ready; next(status) := case request : busy; TRUE : {ready,busy}; esac;
29/43
Execution
request=0 ready request=0 busy request=0 ready request=1 busy request=1 busy
30/43
{ } Execution
request=0 ready request=0 busy request=0 ready request=1 busy request=1 busy
30/43
{ } { p2 } Execution
request=0 ready request=0 busy request=0 ready request=1 busy request=1 busy
30/43
{ } { p2 } { } Execution
request=0 ready request=0 busy request=0 ready request=1 busy request=1 busy
30/43
{ } { p2 } { } { p1,p2 } Execution
request=0 ready request=0 busy request=0 ready request=1 busy request=1 busy
30/43
{ } { p2 } { } { p1,p2 } { p1,p2 } Execution
request=0 ready request=0 busy request=0 ready request=1 busy request=1 busy
30/43
Trace { } { p2 } { } { p1,p2 } { p1,p2 } Execution
request=0 ready request=0 busy request=0 ready request=1 busy request=1 busy
30/43
Trace { } { p2 } { } { p1,p2 } { p1,p2 } Execution
request=0 ready request=0 busy request=0 ready request=1 busy request=1 busy
Trace { p1 } { p1,p2 } { p2 } { p1,p2 } { p2 } Execution
request=1 ready request=1 busy request=0 busy request=1 busy request=0 busy
30/43
AP = { p1,p2, ... ,pk }
31/43
AP = { p1,p2, ... ,pk } PowerSet(AP) = { { }, {p1}, ... , {pk}, { p1,p2 }, { p1,p3 }, ... , { pk−1,pk },
{ p1,p2, ..., pk } }
31/43
AP = { p1,p2, ... ,pk } PowerSet(AP) = { { }, {p1}, ... , {pk}, { p1,p2 }, { p1,p3 }, ... , { pk−1,pk },
{ p1,p2, ..., pk } } Trace(Execution) is an infinite word over PowerSet(AP)
31/43
AP = { p1,p2, ... ,pk } PowerSet(AP) = { { }, {p1}, ... , {pk}, { p1,p2 }, { p1,p3 }, ... , { pk−1,pk },
{ p1,p2, ..., pk } } Trace(Execution) is an infinite word over PowerSet(AP) Traces(TS) is the { Trace(σ) | σ is an execution of the TS }
31/43
{ p1 } { p1,p2 } { p2 } {}
request=1 ready request=1 busy request=0 ready request=0 busy
Traces:
32/43
{ p1 } { p1,p2 } { p2 } {}
request=1 ready request=1 busy request=0 ready request=0 busy { } { } { } { } { } { } { } { } ...
Traces:
32/43
{ p1 } { p1,p2 } { p2 } {}
request=1 ready request=1 busy request=0 ready request=0 busy { } { } { } { } { } { } { } { } ... { } { p2 } { p2 } { p2 } { p2 } { p2 } { p2 } ...
Traces:
32/43
{ p1 } { p1,p2 } { p2 } {}
request=1 ready request=1 busy request=0 ready request=0 busy { } { } { } { } { } { } { } { } ... { } { p2 } { p2 } { p2 } { p2 } { p2 } { p2 } ... { p1 } { p1,p2 } { p2 } { p1,p2 } { p2 } { p1,p2 } ...
Traces:
32/43
{ p1 } { p1,p2 } { p2 } {}
request=1 ready request=1 busy request=0 ready request=0 busy { } { } { } { } { } { } { } { } ... { } { p2 } { p2 } { p2 } { p2 } { p2 } { p2 } ... { p1 } { p1,p2 } { p2 } { p1,p2 } { p2 } { p1,p2 } ... {} { p1,p2 } { p1,p2 } { p1,p2 } { p1,p2 } { p1,p2 } ...
Traces:
32/43
{ p1 } { p1,p2 } { p2 } {}
request=1 ready request=1 busy request=0 ready request=0 busy { } { } { } { } { } { } { } { } ... { } { p2 } { p2 } { p2 } { p2 } { p2 } { p2 } ... { p1 } { p1,p2 } { p2 } { p1,p2 } { p2 } { p1,p2 } ... {} { p1,p2 } { p1,p2 } { p1,p2 } { p1,p2 } { p1,p2 } ...
Traces:
32/43
Traces of a TS describe its behaviour with respect to the atomic propositions
33/43
34/43
35/43
AP-INF = set of infinite words over PowerSet(AP)
36/43
AP-INF = set of infinite words over PowerSet(AP) Property 1: p1 is always true
36/43
AP-INF = set of infinite words over PowerSet(AP) Property 1: p1 is always true { A0A1A2 ··· ∈ AP-INF | each Ai contains p1 }
{ p1 } { p1 } { p1 } { p1 } { p1 } { p1 } { p1 } ... { p1 } { p1,p2 } { p1 } { p1,p2 } { p1 } { p1,p2 } ... . . .
36/43
AP-INF = set of infinite words over PowerSet(AP) Property 1: p1 is always true { A0A1A2 ··· ∈ AP-INF | each Ai contains p1 }
{ p1 } { p1 } { p1 } { p1 } { p1 } { p1 } { p1 } ... { p1 } { p1,p2 } { p1 } { p1,p2 } { p1 } { p1,p2 } ... . . .
Property 2: p1 is true at least once and p2 is always true
36/43
AP-INF = set of infinite words over PowerSet(AP) Property 1: p1 is always true { A0A1A2 ··· ∈ AP-INF | each Ai contains p1 }
{ p1 } { p1 } { p1 } { p1 } { p1 } { p1 } { p1 } ... { p1 } { p1,p2 } { p1 } { p1,p2 } { p1 } { p1,p2 } ... . . .
Property 2: p1 is true at least once and p2 is always true { A0A1A2 ··· ∈ AP-INF | exists Ai containing p1 and every Aj contains p2 }
{ p2 } { p1,p2 } { p2 } { p2 } { p2 } { p1,p2 } { p2 } ... { p1,p2 } { p2 } { p2 } { p2 } { p2 } { p2 } ... . . .
36/43
37/43
38/43
39/43
{ p1 } { p1,p2 } { p2 } {}
request=1 ready request=1 busy request=0 ready request=0 busy
Transition System AP = { p1, p2 }
40/43
{ p1 } { p1,p2 } { p2 } {}
request=1 ready request=1 busy request=0 ready request=0 busy
Transition System AP = { p1, p2 } Property
40/43
{ p1 } { p1,p2 } { p2 } {}
request=1 ready request=1 busy request=0 ready request=0 busy
Transition System AP = { p1, p2 } Property G p1
40/43
{ p1 } { p1,p2 } { p2 } {}
request=1 ready request=1 busy request=0 ready request=0 busy
Transition System AP = { p1, p2 } Property G p1 Transition system TS satisfies property P if Traces(TS) ⊆ P
40/43
41/43
41/43
42/43
◮ Use of MODULE in NuSMV ◮ Synchronous Vs Asynchronous composition of
◮ Mutual exclusion: checked some kind of safety property ◮ What properties do we check for detecting deadlocks? ◮ Definition of property
43/43