

### Reference material:

 Tutorial material from the nuSMV web site http://nusmv.fbk.eu/NuSMV/tutorial/index.html

Notes of prof. Alessandro Artale in Bozen: <a href="http://www.inf.unibz.it/~artale/FM/fm.htm">http://www.inf.unibz.it/~artale/FM/fm.htm</a>

### Verifica dei Programmi Concorrenti 17-18

### **NuSMV**

Prof.ssa Susanna Donatelli Universita' di Torino

www.di.unito.it

susi@di.unito.it

NUSMV is a symbolic model checker developed as a joint project between the Formal Methods group at ITC-IRST, the Model Checking group at Carnegie Mellon University, the Mechanized Reasoning Group at University of Geneva and the Mechanized Reasoning Group at University of Trento.

Current version: 2.6.0

Tutorial 2.6

The input language are state machines



### nuSMV – input language

NUSMV consists of one or more modules and one must be called main.

### An SMV program consists of:

- Type declarations of the system variables;
- Assignments that define the valid initial states (e.g., init(b0) := 0).
- Assignments that define the transition relation (e.g., next(b0) := !b0).
- They can be Non-Deterministic: Several values in braces.
- CTL or LTL specifications introduced by the keywords SPEC, LTLSPEC, respectively.

- NUSMV takes the specification of a model and a set of properties (either in CTL or LTL) as input.
- NUSMV output either *True* if the properties hold or *False* with a trace showing the failure.
- The set of states correspond to the set of all possible values for the variables.
- NUSMV uses !,&, |, -> for the boolean not, and, or, implies.
- NUSMV uses G,F,X,U,A,E as defined before

- NUSMV breaks a system description into modules.
- A module is instantiated when a variable having the module as its type is declared.
- Modules can have parameters.
- The notation module-name.x is used to access the variable x of the module-name.
- The keyword DEFINE is used to assign (the current value of) an expression to a symbol without the need to introduce a variable.
- Defined symbols refer just to an expression then they cannot be assigned non-deterministically.

- Modules, by default, are composed synchronously
- Each of the modules execute in parallel (e.g., the counter example).
- Using the keyword process modules are composed asynchronously (interleaving semantics): at each tick one of them is non-deterministically chosen and executed.
- The main use of NUSMV is through an interactive shell.
- The user has the possibility to:
  - Explore the possible executions called *Traces*;
  - Construct the Model;
  - Check specification and/or build counterexamples;



### nuSMV: first example

The variable request is not assigned. This means that there are no constraints on its values, and thus it can assume any value. request is thus an unconstrained input to the system.



### nuSMV: first example

```
MODULE main
VAR
    request : boolean;
    state : {ready,busy};
ASSIGN
    init(state) := ready;
    next(state):= case
        state=ready & request=1: busy;
        TRUE : {ready, busy}
        esac;
```



### nuSMV: second example

```
MODULE counter_cell (carry_in)
    VAR
       value : boolean;
    ASSIGN
       init(value) := 0;
       next(value):= (value + carry_in) mod 2;
    DFFINE
       carry_out := value & carry_in;
MODULE main
    VAR
       bit0 : counter_cell(1);
       bit1 : counter_cell(bit0.carry_out);
       bit2 : counter_cell(bit1.carry_out);
```

| MODILLE counter cell (count in)                                                                       |      | value | Carry_in | Carry_out |
|-------------------------------------------------------------------------------------------------------|------|-------|----------|-----------|
| MODULE counter_cell (carry_in) VAR value : boolean; ASSIGN                                            | bit0 | 0     | 1        | 0         |
|                                                                                                       | bit1 | 0     | 0        | 0         |
| init(value) := 0;<br>next(value):= (value + carry_in) mod 2;                                          | bit2 | 0     | 0        | 0         |
| DEFINE carry_out := value & carry_in;                                                                 |      |       |          |           |
| MODULE main                                                                                           | bit0 | 1     | 1        | 0         |
| VAR bit0 : counter_cell(1); bit1 : counter_cell(bit0.carry_out); bit2 : counter_cell(bit1.carry_out); | bit1 |       |          |           |
|                                                                                                       | bit2 |       |          |           |
| bit0.carry_in = 1                                                                                     |      |       |          |           |
| bit1.carry_in = bit0.value<br>bit2.carry_in = bit1.value & bit1.carry_in                              | bit0 |       |          |           |
|                                                                                                       | bit1 |       |          |           |
| bit0.carry_out = bit0.value                                                                           | bit2 |       |          |           |
| bit1.carry_out = bit1.value & bit1.carry_in<br>bit2.carry_out = bit2.value & bit2.carry_in            |      |       |          |           |
| ,_                                                                                                    | bit0 |       |          |           |
|                                                                                                       | bit1 |       |          |           |
|                                                                                                       | bit2 |       |          |           |
|                                                                                                       |      |       |          |           |
|                                                                                                       | bit0 |       |          |           |
|                                                                                                       | bit1 |       |          |           |
|                                                                                                       | bit2 |       |          |           |
|                                                                                                       |      |       |          |           |



### nuSMV: asynchronous example

nuSMV allows for synchronous behaviour (as in previous example) as well as asynchronous, through the keyword "process"

It is implicit that if a given variable is not assigned by the process, then its value remains unchanged.



### nuSMV: asynchronous example

```
MODULE inverter(input)
VAR
  output : boolean;
ASSIGN
  init(output) := 0;
  next(output) := !input;
MODULE main
VAR
  gate1 : process inverter(gate3.output);
  gate2 : process inverter(gate1.output);
  gate3 : process inverter(gate2.output);
```

| MODULE inverter(input)                                                                                                  |       | output | input |
|-------------------------------------------------------------------------------------------------------------------------|-------|--------|-------|
| <pre>VAR    output : boolean; ASSIGN    init(output) := 0;    next(output) := !input; MODULE main</pre>                 | gate1 | 0      | 0     |
|                                                                                                                         | gate2 | 0      | 0     |
|                                                                                                                         | gate3 | 0      | 0     |
| <pre>VAR    gate1 : process inverter(gate3.output);</pre>                                                               |       |        |       |
| gate2 : process inverter(gate3.output); gate3 : process inverter(gate1.output); gate3 : process inverter(gate2.output); | gate1 | 0      | 0     |
|                                                                                                                         | gate2 | 0      | 0     |
| gate1.output = !gate1.input = !gate3.output                                                                             | gate3 | 1      | 0     |
| gate2.output = !gate2.input = !gate1.output                                                                             |       |        |       |
| gate3.output = !gate3.input = !gate2.output                                                                             | gate1 | 0      | 1     |
|                                                                                                                         | gate2 | 1      | 0     |
|                                                                                                                         | gate3 | 1      | 0     |
|                                                                                                                         |       |        |       |
|                                                                                                                         | gate1 |        | 1     |
|                                                                                                                         | gate2 |        | 0     |
|                                                                                                                         | gate3 |        | 1     |
|                                                                                                                         |       |        |       |
|                                                                                                                         | gate1 |        |       |
|                                                                                                                         | gate2 |        |       |
|                                                                                                                         | gate3 |        |       |



### nuSMV: fairness - justice

In asynchronous nuSMV a process is not "forced" to move (and therefore also unrealistic sequences are considered)

A fairness contraints can be specified:

FAIRNESS f uguale a justice f

Implies that only paths in which formula f is infinitely often true are considered by the model-checker

Example: FAIRNESS running

Where "running" is a predefined variable associated to each process, with the obvious meaning

### Synchronous inverter and fairness

```
MODULE inverter(input)
VAR
  output : boolean;
ASSIGN
  init(output) := FALSE;
  next(output) := (!input) union output;
MODULE main
VAR
  gate1 : inverter(gate3.output);
  gate2 : inverter(gate1.output);
  gate3 : inverter(gate2.output);
```

In this case we cannot force the inverters to be effectively active infinitely often using a fairness declaration. In fact, a valid scenario for the synchronous model is the one where all the inverters are idle and assign to the next output the current value of output.



### nuSMV: fairness - compassion

In NUSMV we can also specify compassion

COMPASSION p q

Implies that only paths in which GF p → GF q is satisfied are considered by the model-checker

Example: COMPASSION ask receive and only paths that satisfy GF ask → GF receive are considered for model checking

### nuSMV: semaphore

```
MODULE main
 VAR
   semaphore : boolean;
             : process user(semaphore);
  proc1
  proc2 : process user(semaphore);
 ASSIGN
   init(semaphore) := 0;
MODULE user(semaphore)
 VAR
   state : {idle, entering, critical, exiting};
 ASSIGN
   init(state) := idle;
  next(state) :=
     case
       state = idle
                                      : {idle, entering};
       state = entering & !semaphore : critical;
                                      : {critical, exiting};
       state = critical
       state = exiting
                                     : idle;
       1
                                     : state;
     esac;
  next(semaphore) :=
     case
       state = entering : 1;
      state = exiting : 0;
       1
                        : semaphore;
     esac;
 FAIRNESS
   running
```

### nuSMV: traces

Three simulation modes (how to select a state):

- random
- deterministic,
- interactive

In deterministic simulation mode the first state of a set (whatever it is) is chosen, while in the random one the choice is performed nondeterministically. Traces are automatically generated by NUSMV: the user obtains the whole of the trace in a time without control over the generation itself (except for the simulation mode and the number of states entered via command line).

In the third simulation mode, the user has a complete control over the trace, as it can choose the next step of the execution

## nuSMV: traces

### For the very first example (called short.smv)

```
system_prompt> NuSMV -int short.smv
NuSMV> qo
NuSMV> pick_state -r
NuSMV> print_current_state -v
Current state is 1.1
request = 0
state = readv
NuSMV> simulate -r 3
****** Starting Simulation From State 1.1 *******
NuSMV> show traces -t
There is 1 trace currently available.
NuSMV> show_traces -v
Trace Description: Simulation Trace
Trace Type: Simulation
-> State: 1.1 <-
   request = 0
   state = ready
-> State: 1.2 <-
   request = 1
   state = busy
```

### nuSMV: traces

```
-> State: 1.3 <-
    request = 1
    state = ready
-> State: 1.4 <-
    request = 1
    state = busy
NuSMV> goto_state 1.4
The starting state for new trace is:
-> State 2.4 <-
   request = 1
   state = busy
NuSMV> simulate -r 3
****** Simulation Starting From State 2.4 ******
NuSMV> show traces 2
Trace Description: Simulation Trace
Trace Type: Simulation
-> State: 2.1 <-
                                                    request = 1
   request = 1
                                                -> State: 2.5 <-
   state = ready
                                                    request = 0
-> State: 2.2 <-
                                                -> State: 2.6 <-
   state = busy
                                                    state = readv
-> State: 2.3 <-
                                                -> State: 2.7 <-
   request = 0
                                                NuSMV>
-> State: 2.4 <-
```



### nuSMV: traces - choose a state

```
NuSMV> pick_state -i
******** AVAILABLE STATES *********
request = 1
  state = ready
1) -----
  request = 0
  state = ready
Choose a state from the above (0-1): 1 <RET>
Chosen state is: 1
NuSMV> simulate -i 1
****** Simulation Starting From State 3.1 ******
```

```
AVAILABLE FUTURE STATES *********
request = 1
  state = ready
1) -----
  request = 1
  state = busy
2) -----
  request = 0
  state = ready
3) -----
  request = 0
  state = busy
Choose a state from the above (0-3): 0 < RET >
Chosen state is: 0
NuSMV> show_traces 3
Trace Description: Simulation Trace
Trace Type: Simulation
-> State: 3.1 <-
  request = 0
  state = ready
-> State: 3.2 <-
  request = 1
```

### nuSMV: CTL/LTL model checking

A CTL specification is a CTL formula preceded by the keyword SPEC

A LTL specification is a LTL formula preceded by the keyword LTLSPEC

If the formula is not true a trace that provides a counter example is shown (for A quantifiers, since for existential does not make sense)

### nuSMV: CTL model checking of semaphore

```
MODULE main
 VAR
   semaphore : boolean;
   proc1
            : process user(semaphore);
             : process user(semaphore);
   proc2
ASSIGN
   init(semaphore) := 0;
 SPEC AG ! (proc1.state = critical & proc2.state = critical)
 SPEC AG (proc1.state = entering -> AF proc1.state = critical)
MODULE user(semaphore)
VAR
   state : {idle, entering, critical, exiting};
ASSIGN
   init(state) := idle;
   next(state) :=
     case
       state = idle
                                      : {idle, entering};
       state = entering & !semaphore : critical;
       state = critical
                                      : {critical, exiting};
                                      : idle;
       state = exiting
       1
                                      : state;
     esac;
   next(semaphore) :=
     case
       state = entering : 1;
       state = exiting : 0;
                        : semaphore;
       1
     esac;
FAIRNESS
  running
```

### nuSMV: CTL model checking

system\_prompt> NuSMV semaphore.smv

we obtain the following output:

```
-- specification AG (!(proc1.state = critical & proc2.state = critical))
-- is true
-- specification AG (proc1.state = entering -> AF proc1.state = critical)
-- is false
-- as demonstrated by the following execution sequence
-> State: 1.1 <-
   semaphore = 0
   proc1.state = idle
   proc2.state = idle
-> Input: 1.2 <-
   process selector = proc1
-- Loop starts here
-> State: 1.2 <-
   proc1.state = entering
-> Input: 1.3 <-
   process selector = proc2
-> State: 1.3 <-
   proc2.state = entering
-> Input: 1.4 <-
   process selector = proc2
-> State: 1.4 <-
    semaphore = 1
   proc2.state = critical
```

```
-> Input: 1.5 <-
   process selector = proc1
-> State: 1.5 <-
-> Input: 1.6 <-
   process selector = proc2
-> State 1.6 <-
   proc2.state = exiting
-> Input: 1.7 <-
   process selector = proc2
-> State 1.7 <-
   semaphore = 0
   proc2.state = idle
```

## CTL: Syntax

AP, set of atomic proposition.  $p \in AP$ .

CTL formulae:

$$\varphi ::= p \mid \neg \varphi \mid \varphi \vee \varphi \mid EX\varphi \mid E[\varphi U \varphi] \mid A[\varphi U \varphi]$$

E: "for some path"

A: "for all paths"

EX: "for some path next"

U: until

Note: syntactically correct formulas quantifiers and temporal operators are in strict alternation



### Derived operators

- EF $\phi$  = E[true U  $\phi$ ] " $\phi$  holds potentially" " $\phi$  is possible"
- AF $\phi = A[\text{true U }\phi]$  " $\phi$  is inevitable (unavoidable)"
- EG $\phi \equiv \neg AF \neg \phi$  "potentially always  $\phi'' -$  "globally along some path"
- $AG\phi \equiv \neg EF \neg \phi$  "invariantly  $\phi$ "
- $AX\phi = \neg EX \neg \phi$  "for all paths next"



### End of nuSMV