# CSE 620: Selective Topics Introduction to Formal Verification



Master Studies in CSE Fall 2016

Lecture #8



Dr. Hazem Ibrahim Shehata

Assistant Professor

Dept. of Computer & Systems Engineering





#### **Course Outline**

- Computational Boolean Algebra
  - —Basics
    - Shannon Expansion
    - Boolean Difference
    - Quantification Operators
      - + Application to Logic Network Repair
  - Validity Checking (Tautology Checking)
  - —Binary Decision Diagrams (BDD's)
  - —Satisfiability Checking (SAT solving)
- Model Checking
  - —Temporal Logics → LTL CTL
  - —SMV: Symbolic Model Verifier
  - —Model Checking Algorithms → Explicit CTL





## Model Checking



## Symbolic Model Verifier (SMV)

SMV is a program that checks  $\mathcal{M} \models \phi$  for a  $\phi$  that is a property in the temporal logics LTL and CTL. We will be using LTL.

- Developed to verify synchronous circuits
- Extended to verify asychronous circuits
- Successfully used to verify models of reactive systems

Next we are going to talk about modelling systems using SMV. The SMV symbolic model checking algorithm will be described next week.

## Getting and installing SMV

Cadence SMV (extended SMV) can be found at:

http://www.cadence.com/webforms/cbl\_software/index.aspx

You have to fill in a registration form. You can get SMV for various platforms.

Run the executable vw. Like HOL, you edit your model description as a text file and load it into SMV.

Look in smv/doc/smv for a tutorial, and SMV examples.

## Reactive Systems

- System interacts with its environment, monitoring and responding to environmental events
- Computation may not terminate
- System behaviour changes over time, in reaction to history of inputs
- Complexity is due to concurrency and interactions among components
- Examples: operating systems, embedded systems, process-control systems, financial trading systems, automated banking machines, etc.

## Compared to Transformational Programs

- Program computes a function from inputs to outputs
- Complexity is in data transformations
- Examples: compilers, filters, payroll systems, scientific computations

## **SMV** Modelling

- ► Goal is to describe control and interaction. Hence, no complex data structures, not much data manipulation.
- SMV Language: Communicating Finite State Machines (FSMs with variables)
- System may consist of several modules
- Modules consist of several simple parallel assignments
- Model may also specify constraints on environment's behaviour

#### SMV Modelling

A system is described as a set of modules. Each module is a reactive system interacting with other modules and the system's environment.

Each modules has variables that it reacts to, and that is manipulates.

In each module, there are variable declarations, assignments to variables, and properties that we want to check.

The main module is like a main program. In the simplest SMV descriptions we use only the main module, and no sub-modules.

Modules can be parameterized and the main module can creating instances of modules to describe the system.

## Example Specification (echo1.smv)

```
MODULE main ()
   signal: boolean;
   echo : boolean;
   init(echo) := 0;
  next(echo) := signal;
  mypropname: assert G (signal <-> X (echo));
```

## Example Specification (echo1.smv)

#### Example Traces:

signal: 01001000100001...

echo: 001001000100001...

signal: 11001100110011...

echo: 01100110011...

At the prompt, type "vw echo1.smv &"

## Example Specification (echo2.smv)

```
MODULE main ()
   signal : boolean;
   echo : boolean;
   init(echo) := 0;
   next(echo) := signal & 1 ;
   mypropname: assert G (signal <-> X (echo));
```

See echo2.smv

## Example Specification (echo3.smv)

```
MODULE main ()
   signal : boolean;
   echo : boolean;
   init(echo) := 0;
   next(echo) := signal & 0 ;
   mypropname: assert G (signal <-> X (echo));
```

CS745/ECE-725, Fall 2009, University of Waterloo, Topic 4, Page 67/236

See echo3.smv

## **SMV** Modelling

Recall that the SMV modelling notation is used to describe communicating finite state machines.

It consists of a set of modules, with one main module.

In each module there are:

- variables declarations,
- variable initialization,
- assignments, and
- properties that we want to check.

#### **Variables**

Variables can be boolean, enumerated types, integer subranges, user-defined modules, or an array of any of these:

```
var1 : {on, off};
var2 : array 2..5 of {on, off};
var3 : array 1..10 of array 2..5 of boolean;
var4 : Inverter(1);
var5 : array on..off of boolean; -- error
var6 : {enabled, active, off}; -- error
var7 : 0..6;
```

#### **Variables**

- Enumerated values must be distinct, from each other and from integer values
- Boolean values are 0 and 1
- ▶ Boolean operations are:  $\sim$  (not), & (and), | (or), ^ (xor),  $\rightarrow$  (implies),  $<\!\!\!-\!\!\!>$  (iff)
- Array subscripts must evaluate to integers (preferably constants)
- Comments are delimited by —— and a newline

#### **Execution Model**

ightharpoonup System state  $\mathcal S$  is defined by the variables' values

$$v_1:T_1; v_2:T_2; \cdots; v_n:T_n;$$
  
 $S \in T_1 \times T_2 \times \cdots \times T_n$ 

► Each variable is either controlled by the system (i.e., the model explicitly assigns values to the variable) or is controlled by the environment (i.e., can be thought of as an input variable).

#### **Execution Model**

- Round-based execution: initialization round followed by a sequence of update rounds. In each round
  - the environment-controlled variables non-deterministically change value
  - the system executes its parallel assignment statements
  - the result is a new system state
- Variable assignments may either take effect in the next system state (sequential/unit delay)

$$next(x) := y + 3;$$

or be effective immediately (combinational/derived)

$$x := y + 3;$$

## Assignments

Conditional Assignments: if-then-else returns the value assigned. The condition or guard is a Boolean expression over variables.

#### Examples:

## Example: Thermostat (See therm1.smv)

```
MODULE main()
     {
        temp : {hot, cold, justright}; -- room temperature
        active : boolean;
                                           -- is thermostat on?
        heat : boolean;
                                           -- is furnace on?
        aircond : boolean;
                                           -- is aircond on?
        init(heat) := 0;
        next(heat) := case {
              active & (temp=cold) : 1 ;
              ~active | ~(temp=cold) : 0;
        };
        init(aircond) := 0;
        next(aircond) := case {
              active & (temp=hot) : 1 ;
              ~active | ~(temp=hot) : 0 ;
CS745/ECE-725, Fall 2009, University of Waterloo, Topic 4, Page 74/236
```

#### Example: Thermostat

Better properties:

See therm2.smv

#### Case Statements

Case statements are evaluated in top-down order. In the thermostat example, the guards are mutually exclusive. Let's add a user override:

```
input turnheatoff: boolean;
next(heat) := case {
    active & (temp=cold): 1;
    ~active | ~(temp=cold) : 0;
    turnheatoff : 0;
};
prop4: assert G (turnheatoff -> X ~heat);
```

Can we prove prop3 and prop4? See therm3.smv, therm4.smv, therm5.smv

#### Non-Determinism

Non-determinism: more than one outcome possible.

Ways to have non-determinism in SMV models:

- ► Input: A variable is not assigned any value.
- Non-deterministic assignments

$$x := \{1,2,3,4\};$$

Undefined assignments

A variable of undefined value may take on any value in its type. See examples next page. Note: undefined assignments are not a good idea!

#### Undefined Assignments

Example: A variable that is assigned a value outside the range of its declared type:

```
on : boolean;
on := 4;
```

Example: If a conditional assignment is not total (i.e., there exists a condition not covered by any clause):

```
y := c1 ? x;
        z := case {
        c1 : x1;
        c2 : x2;
        c3 : x3;
};
```

where  $c1 \lor c2 \lor c3$  isn't a tautology.

## **Environmental Assumptions**

- Some counter-examples exhibit undesirable system behaviour in response to invalid environmental input. These are called infeasible paths.
- ➤ Sometimes we need to constrain how environmental variables change value, in order to model a realistic environment. One option is include a model of the environment in your system description:

```
next(temp) := case {
  temp=hot : {justright, hot};
  temp=justright : {cold, justright, hot};
  temp=cold : {cold, justright}
};
```

The verification is valid as long as environmental assumptions are true.

#### Common Errors

SMV must be able to compute set of possible next states

#### Single Assignment Rule

Can only have one assignment statement for each variable

The following is invalid

```
next(x) := y;

next(x) := z;
```

- Can assign value to:
  - x, or
  - next(x) and init(x),

but not both.

#### Common Errors

#### Circular Dependency Rule

Cannot have a cycle of dependencies all of whose assignments take effect immediately. That is, the system can't have a set of variables whose current values depends on the current values of each other and vice versa (can't have a combinational loop):

```
x := y;
y := z;
z := x;
```

SMV should give you a syntax error for all of these mistakes.

## SMV Models and Kripke Structures

An SMV model represents a Kripke structure.

```
MODULE main()
    request: boolean;
    status: {ready, busy};
    init(status) := ready;
    next(status) := case {
                      request : busy;
                      default: {ready, busy};
                     };
```

From: Huth and Ryan [R18].

#### **SMV** Modules

So far, we've only been using the "main" module.

A module bundles together definitions (type declarations and assignments). These definitions can then be reused.

Modules have three kinds of variables: input, output, private.

Input and output variables are labelled as such (keywords: INPUT and OUTPUT) and included in the list of formal parameters of the module. These variables are pass by reference.

#### **SMV** Modules

The input variables of the main module are the environmental variables.

All module variables are visible to other modules and to the environment.

However, for modularity. modules shouldn't refer to each other's private variables directly!

## Example Module

```
MODULE half_adder(a, b, cout, sum)
{
   INPUT a, b : boolean;
   OUTPUT cout, sum : boolean;

-- combinational
   sum := (a & ~b) | (~a & b); -- corrected here cout := a & b;
}
```

#### Module Instantiations

## ADD1: input in1, in2, cin1: boolean; output sum1, cout1: boolean; w1,w2,w3: boolean; bit0 : half\_adder(in1, in2, w1, w2); bit1 : half\_adder(w2, cin1, w3, sum1); Then we can use: bit0.a, bit0.cout, etc. (Don't forget we'd also need an OR-gate.)

#### Full Adder



Make outputs "sum" and "cout" unit delayed.

#### See adder.smv

Note: in our properties, we can't refer to the value at the previous time step, so we have to write more properties to describe the behaviour of an adder.

## Modules with Types

"A module with only type declarations and no parameters or assignments acts like a structured data type." (SMV Language Reference Manual, 2001)

```
MODULE point(start)
   x,y: start..6;
}
MODULE main()
    mypt: point(1);
    j: 0..6;
    next(j) := mypt.x;
```