2/18/20051 introduction to smv. 2/18/20052 symbolic model verifier ken mcmillan, symbolic model...
Post on 21-Dec-2015
229 views
TRANSCRIPT
![Page 1: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/1.jpg)
2/18/2005 1
Introduction to SMV
![Page 2: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/2.jpg)
2/18/2005 2
Symbolic Model Verifier Ken McMillan, Symbolic Model
Checking: An Approach to the State Explosion Problem, 1993.
Finite-state Systems described in a specialized language
Specifications given as CTL formulas Internal representation using OBDDs Automatically verifies specification or
produces a counterexample
![Page 3: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/3.jpg)
2/18/2005 3
Overview of SMV
SMV Input Language
Finite State Kripke Structure
Specification – CTL Formula
OBDD based Symbolic Model Checking
Yes
No
CounterExample
Backend
![Page 4: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/4.jpg)
2/18/2005 4
Language Characteristics Allows description of completely
synchronous to asynchronous systems, detailed to abstract systems
Modularized and hierarchical descriptions
Finite data types: Boolean and enumerated
![Page 5: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/5.jpg)
2/18/2005 5
Language Characteristics (cont..)
Parallel-assignment syntax
Non-determinism
![Page 6: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/6.jpg)
2/18/2005 6
A Sample SMV Program
MODULE mainVAR request: boolean; state: {ready, busy};ASSIGN init(state) := ready; next(state) :=
casestate=ready & request: busy;1: {ready, busy};
esac;SPEC AG(request -> AF (state = busy))
![Page 7: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/7.jpg)
2/18/2005 7
SMV Syntax - ExpressionsExpr :: atom ;; symbolic constant | number ;; numeric constant | id ;; variable identifier | “!” expr ;; logical not | expr1 <op> expr2 | “next” “(“ id “)” ;; next value | case_expr | set_expr
![Page 8: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/8.jpg)
2/18/2005 8
The Case ExpressionCase_expr :: “case” expr_a1 “:” expr_b2 “;” … expr_an “:” expr_bn “;” “esac” Guards are evaluated sequentially. The first one that is true determines the
resulting value If none of the guards are true, result is
numeric value 1
![Page 9: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/9.jpg)
2/18/2005 9
State Variables
Decl :: “VAR” atom1 “:” type1 “;” atom2 “:” type2 “;” … State is an assignment of values to
a set of state variables Type of a variable – boolean, scalar,
user defined module, or array.
![Page 10: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/10.jpg)
2/18/2005 10
ASSIGN declaration
Decl :: “ASSIGN” dest1 “:=“ expr1 “;” dest2 “:=“ expr2 “;” …Dest :: atom | “init” “(“ atom “)” | “next” “(“ atom “)”
![Page 11: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/11.jpg)
2/18/2005 11
Variable Assignments
Assignment to initial state: init(value) := 0;
Assignment to next state (transition relation)next(value) := value + carry_in mod 2;
Assignment to current state (invariant)carry_out := value & carry_in;
Either init-next or invar should be used, but not both
SMV is a parallel assignment language
![Page 12: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/12.jpg)
2/18/2005 12
Circular definitions … are not allowed! This is illegal:
a := next(b);next(b) := c;c := a;
This is o.k. init(a) := 0;
next(a) := !b;
init(b) := 1;next(b) := !a;
![Page 13: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/13.jpg)
2/18/2005 13
Nondeterminism
Completely unassigned variable can model unconstrained input.
{val_1, …, val_n} is an expression taking on any of the given values nondeterministically.
Nondeterministic choice can be used to: Model an implementation that has not been
refined yet Abstract behavior
![Page 14: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/14.jpg)
2/18/2005 14
ASSIGN and DEFINE
VAR a: boolean;ASSIGN a := b | c; declares a new state variable a becomes part of invariant relation
DEFINE d:= b | c; is effectively a macro definition, each
occurrence of d is replaced by b | c no extra BDD variable is generated for d the BDD for b | c becomes part of each
expression using d
![Page 15: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/15.jpg)
2/18/2005 15
SPEC declaration Decl :: “SPEC” ctlform Ctlform :: expr ;; bool expression | “!” ctlform | ctlform1 <op> ctlform2 | “E” pathform | “A” pathform Pathform :: “X” ctlform | “F” ctlform | “G” ctlform | ctlform1 “U” ctlform2
![Page 16: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/16.jpg)
2/18/2005 16
Modules and Hierarchy
Modules can be instantiated many times, each instantiation creates a copy of the local variables
Each program has a module main
Scoping Variables declared outside a module can be
passed as parameters
Parameters are passed by reference.
![Page 17: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/17.jpg)
2/18/2005 17
Pass by referenceDEFINE a := 0;VAR b : bar(a);…MODULE bar(x)DEFINE a := 1; y := x;
![Page 18: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/18.jpg)
2/18/2005 18
Pass by reference
…VAR a : boolean; b : foo(a);…MODULE foo(x)ASSIGN x:=1;
![Page 19: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/19.jpg)
2/18/2005 19
MODULE mainVAR
bit0 : counter_cell(1);bit1 : counter_cell(bit0.carry_out);
bit2 : counter_cell(bit1.carry_out);SPEC AG AF bit2.carry_out
MODULE counter_cell(carry_in)VAR value : boolean;ASSIGN init(value) := 0; next(value) := value + carry_in mod 2;DEFINE carry_out := value & carry_in;
![Page 20: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/20.jpg)
2/18/2005 20
Module Composition
Synchronous composition All assignments are executed in parallel and
synchronously. A single step of the resulting model
corresponds to a step in each of the components.
Asynchronous composition A step of the composition is a step by exactly
one process. Variables, not assigned in that process, are left
unchanged.
![Page 21: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/21.jpg)
2/18/2005 21
Asynchronous Composition
MODULE mainVAR
gate1: process inverter(gate3.output);gate2: process inverter(gate1.output);gate3: process inverter(gate2.output);
SPEC (AG AF gate1.output) & (AG AF !gate1.output)
MODULE inverter(input)VAR output: boolean;ASSIGN init(output) := 0; next(output) := !input;
![Page 22: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/22.jpg)
2/18/2005 22
Fairness FAIRNESS ctl_formulae
Assumed to be true infinitely often Model checker only explores paths satisfying
fairness constraint Each fairness constraint must be true infinitely
often
If there are no fair paths All existential formulas are false All universal formulas are true
FAIRNESS running
![Page 23: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/23.jpg)
2/18/2005 23
With Fairness..MODULE mainVAR
gate1: process inverter(gate3.output);gate2: process inverter(gate1.output);gate3: process inverter(gate2.output);
SPEC (AG AF gate1.output) & (AG AF !gate1.output)
MODULE inverter(input)VAR output: boolean;ASSIGN init(output) := 0; next(output) := !input;
FAIRNESS running
![Page 24: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/24.jpg)
2/18/2005 24
Counter revisited
MODULE mainVAR count_enable : boolean; bit0 : counter_cell(count_enable); bit1 : counter_cell(bit0.carr_out); bit2 : counter_cell(bit1.carry_out);SPEC AG AF bit2.carry_outFAIRNESS count_enable
![Page 25: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/25.jpg)
2/18/2005 25
Synchronous vs Asynchronous• In Asynchronous process, need not
combine transition relation of each process
• Complexity of representing set of states reachable in n steps higher in asynchronous processes occassionally due to higher number of interleavings
![Page 26: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/26.jpg)
2/18/2005 26
Implicit Modelling TRANS - boolean valued expr
restricting transition relation of system
INIT - boolean valued expression giving initial states
INVAR - boolean valued expression restricting set of all states of model
![Page 27: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/27.jpg)
2/18/2005 27
Implicit Modelling ExampleMODULE mainVAR gate1 : inverter(gate3.output); gate2 : inverter(gate1.output); gate3 : inverter(gate2.output);SPEC (AG AF gate1.out) & (AG AF !gate1.out)
MODULE inverter(input)VAR Output : boolean;INIT output = 0;TRANS next(output) = !input | next(output) = output
![Page 28: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/28.jpg)
2/18/2005 28
TRANS
Advantages• Group assignments to different variables• Good for modelling guarded commands
Disadvantages• Logical absurdities can lead to
unimplementable descriptions
![Page 29: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/29.jpg)
2/18/2005 29
Shared Data ExampleTwo Users assign pid to shared data in turnMODULE mainVAR data : boolean; turn : boolean; user0 : user(0, data, turn); user1 : user(1, data, turn);ASSIGN next(turn) := !turn;SPEC AG (AF data & AF (!data))
![Page 30: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/30.jpg)
2/18/2005 30
Shared data example (cont..)Using ASSIGN and CASE statement won’t
work(constraining sema all the time)MODULE user(pid, data, turn)ASSIGN next(data) := case turn: pid; 1 : data; esac;
Line 3: multiple assignment: next(data)
![Page 31: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/31.jpg)
2/18/2005 31
Using TRANS
TRANS useful for changing shared data in synchronous system between modules.
MODULE user(pid, turn, data)TRANS turn -> next(data) = pid
![Page 32: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/32.jpg)
2/18/2005 32
Guarded CommandsGuard1 : action1Guard2 : action2.. Otherwise nop
TRANS (guard1 & action1)|(guard2 & action2)|…(!guard1 & !guard2 & … & “nop”)
![Page 33: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/33.jpg)
2/18/2005 33
TRANS Pitfall
True -> next(b) = 0 &True -> next(b) = 1 & …
Results in an empty transition relation
![Page 34: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/34.jpg)
2/18/2005 34
TRANS Guidelines Try using ASSIGN instead Write in a disjunction of conjunction
format Try covering all cases Try make guards disjoint
![Page 35: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/35.jpg)
2/18/2005 35
SMV Steps Read_Model : read model from input smv
file Flatten_hierarchy : instantiate modules
and processes Build_model : compile the model into
BDDs (initial state, invar, transition relation)
Check_spec : checking specification bottom up
![Page 36: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/36.jpg)
2/18/2005 36
Run SMV smv [options] inputfile
-c cache-size for BDD operations -k key-table-size for BDD nodes -v verbose -int interactive mode -r
prints out statistics about reachable state space
![Page 37: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/37.jpg)
2/18/2005 37
SMV Options –f
computes set of reachable states first Model checking algorithm traverses
only the set of reachable states instead of complete state space.
useful if reachable state space is a small fraction of total state space
![Page 38: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/38.jpg)
2/18/2005 38
SMV Options: Reordering vars Variable reordering is crucial for small BDD sizes
and speed.
Generally, variables which are related need to be close in the ordering.
–i filename –o filename Input, output BDD variable ordering to given file.
-reorder Invokes automatic variable reordering
![Page 39: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/39.jpg)
2/18/2005 39
SMV Options: Transition relation
smv -cp part_limit
Conjunctive Partitioning: Transition relation not evaluated as a whole, instead individual next() assignments are grouped into partitions that do not exceed part_limit
Uses less memory and benefits from early quantification
![Page 40: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/40.jpg)
2/18/2005 40
SMV options: -inc Perform incremental evaluation of
the transition relation At each step in forward search,
transition relation restriced to reached state set
Cuts down on size of transition relation with overhead of extra computation
![Page 41: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/41.jpg)
2/18/2005 41
Example: Client & ServerMODULE client (ack)VAR state : {idle, requesting}; req : boolean;
ASSIGN init(state) := idle; next(state) := case state=idle : {idle, requesting}; state=requesting & ack : {idle, requesting}; 1 : state; esac;
req := (state=requesting);
![Page 42: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/42.jpg)
2/18/2005 42
MODULE server (req)
VAR state : {idle, pending, acking}; ack : boolean;
ASSIGN next(state) := case state=idle & req : pending; state=pending : {pending, acking}; state=acking & req : pending; state=acking & !req : idle; 1 : state; esac;
ack := (state = acking);
![Page 43: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/43.jpg)
2/18/2005 43
Is the specification true?MODULE mainVAR c : client(s.ack); s : server(c.req);
SPEC AG (c.req -> AF s.ack)
Need fairness constraint: Suggestion:
FAIRNESS s.ack Why is this bad? Solution:
FAIRNESS (c.req -> s.ack)
![Page 44: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/44.jpg)
2/18/2005 44
NuSMV Specifications expressible in CTL, LTL and
Real time CTL logics Provides both BDD and SAT based model
checking. Uses a number of heuristics for achieving
efficiency and control state explosion Higher number of features in interactive
mode
![Page 45: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/45.jpg)
2/18/2005 45
Cadence SMV Provides “compositional
techniques” to verify large complex systems by decomposition to smaller problems.
Provides a variety of techniques for refinement verification, symmetry reductions, uninterpreted functions, data type reductions.
![Page 46: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/46.jpg)
2/18/2005 46
Useful Links
SMV sources, binaries and manualshttp://www.cs.cmu.edu/~modelcheck/smv.html
SMV man page http://www.cs.cmu.edu/~dongw/smv.txt
SMV manualhttp://www.cs.cmu.edu/~modelcheck/smv/smvmanual.ps
Tutorial on verification techniques using Cadence SMVhttp://www-cad.eecs.berkeley.edu/~kenmcmil/tutorial.ps
SMV Input Language documentationhttp://www-cad.eecs.berkeley.edu/~kenmcmil/psdoc.html
![Page 47: 2/18/20051 Introduction to SMV. 2/18/20052 Symbolic Model Verifier Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem,](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d6c5503460f94a4c797/html5/thumbnails/47.jpg)
2/18/2005 47
Downloads SMVwww.cs.cmu.edu/~modelcheck/smv.html NuSMVhttp://nusmv.irst.itc.it/ Cadence SMVhttp://wwwcad.eecs.berkeley.edu/~kenmcmil/smv