

## The NuSMV Model Checker

#### M. Pistore and M. Roveri

Feb 8, 2004 IIT Delhi — India



### Introduction



- SuSMV is a symbolic model checker developed by ITC-IRST and UniTN with the collaboration of CMU and UniGE.
- The NuSMV project aims at the development of a state-of-the-art model checker that:
  - is robust, open and customizable;
  - can be applied in technology transfer projects;
  - can be used as research tool in different domains.
- SuSMV is OpenSource:
  - developed by a distributed community,
  - "Free Software" license.



#### **History: NuSMV 1**



NuSMV is a reimplementation and extension of SMV.

- SuSMV started in 1998 as a joint project between ITC-IRST and CMU:
  - the starting point: SMV version 2.4.4.
  - SMV is the first BDD-based symbolic model checker (McMillan, 90).
- SuSMV version 1 has been released in July 1999.
  - Imited to BDD-based model checking
  - extends and upgrades SMV along three dimensions:
    - functionalities (LTL, simulation)
    - architecture
    - implementation
- Results:
  - used for teaching courses and as basis for several PhD theses
  - interest by industrial companies and academics



### **History: NuSMV 2**



- The NuSMV 2 project started in September 2000 with the following goals:
  - Introduction of SAT-based model checking
  - OpenSource licensing
  - Larger team (Univ. of Trento, Univ. of Genova, ...)
- SuSMV 2 has been released in November 2001.
  - first freely available model checker that combines BDD-based and SAT-based techniques
  - extended functionalities wrt NuSMV 1 (cone of influence, improved conjunctive partitioning, multiple FSM management)
- Results: in the first two months:
  - more than 60 new registrations of NuSMV users
  - more than 300 downloads



#### **OpenSource License**



The idea of OpenSource:

- The System is developed by a distributed community
- Notable examples: Netscape, Apache, Linux
- *Potential* benefits: shared development efforts, faster improvements...

Aim: provide a *publicly available*, *state-of-the-art* symbolic model checker.

- *publicly available*: free usage in research and commercial applications
- *state of the art*: improvements should be made freely available

Distribution license for NuSMV 2: GNU Lesser General Public License (LGPL):

- anyone can freely download, copy, use, modify, and redistribute NuSMV 2
- any modification and extension should be made publicly available under the terms of LGPL ("copyleft")



#### The first SMV program







An SMV program consists of:

- Declarations of the state variables (b0 in the example); the state variables determine the state space of the model.
- Assignments that define the valid initial states (init(b0) := 0).
- Assignments that define the transition relation (next(b0) := !b0).



#### **Declaring state variables**



The SMV language provides booleans, enumerative and bounded integers as data types:

#### boolean:

VAR

x : boolean;

#### enumerative:

VAR
 st : {ready, busy, waiting, stopped};

#### bounded integers (intervals):

VAR n : 1..8;



#### Adding a state variable



```
MODULE main
VAR
   b0 : boolean;
   b1 : boolean;
ASSIGN
   init(b0) := 0;
   next(b0) := !b0;
```

Remarks:

- The new state space is the cartesian product of the ranges of the variables.
- Synchronous composition between the "subsystems" for b0 and b1.





### Adding a state variable



MODULE main
VAR
 b0 : boolean;
 b1 : boolean;
ASSIGN
 init(b0) := 0;
 next(b0) := !b0;



Remarks:

- The new state space is the cartesian product of the ranges of the variables.
- Synchronous composition between the "subsystems" for b0 and b1.





#### **Declaring the set of initial states**



For each variable, we constrain the values that it can assume in the *initial* states.

```
init(<variable>) := <simple_expression> ;
```

- <simple\_expression> must evaluate to values in the domain of
   <variable>.
- If the initial value for a variable is not specified, then the variable can initially assume any value in its domain.











### **Expressions**



| Arithmetic operators:                                          |  |  |  |
|----------------------------------------------------------------|--|--|--|
| + - * / mod - (unary)                                          |  |  |  |
| Comparison operators:                                          |  |  |  |
| = != > < <= >=                                                 |  |  |  |
| Logic operators:                                               |  |  |  |
| &   xor ! (not) -> <->                                         |  |  |  |
| Conditional expression: case                                   |  |  |  |
| cl : el;                                                       |  |  |  |
| c2 : e2;<br>if c1 then e1 else if c2 then e2 else if else en   |  |  |  |
| 1 : en;                                                        |  |  |  |
| esac<br>Set operators:                                         |  |  |  |
| {v1,v2,,vn} (enumeration) in (set inclusion) union (set union) |  |  |  |







Expressions in SMV do not necessarily evaluate to one value. In general, they can represent a set of possible values.

```
init(var) := \{a,b,c\} union \{x,y,z\};
```

- The meaning of := in assignments is that the lhs can assume non-deterministically a value in the set of values represented by the rhs.
   A constant c is considered as a syntactic abbreviation for {c} (the
- singleton containing c).



## **Declaring the transition relation**



The transition relation is specified by constraining the values that variables can assume in the *next state*.

```
next(<variable>) := <next_expression> ;
```

- <next\_expression> must evaluate to values in the domain of
   <variable>.
- <next\_expression> depends on "current" and "next" variables:

```
next(a) := { a, a+1 } ;
next(b) := b + (next(a) - a) ;
```

If no next() assignment is specified for a variable, then the variable can evolve non deterministically, i.e. it is unconstrained. Unconstrained variables can be used to model non-deterministic *inputs* to

the system.



#### **Declaring the transition relation**







# **Specifying normal assignments**



- Sormal assignments constrain the *current value* of a variable to the current values of other variables.
- They can be used to model *outputs* of the system.

```
<variable> := <simple_expression> ;
```

<simple\_expression> must evaluate to values in the domain of the
 <variable>.



## **Specifying normal assignments**







#### **Restrictions on the ASSIGN**



For technical reasons, the transition relation must be *total*, i.e., for every state there must be at least one successor state.

In order to guarantee that the transition relation is total, the following restrictions are applied to the SMV programs:

- Double assignments rule Each variable may be assigned only once in the program.
- Circular dependencies rule A variable cannot have "cycles" in its dependency graph that are not broken by delays.

If an SMV program does not respect these restrictions, an error is reported by NuSMV.



# The modulo 4 counter with reset



The counter can be reset by an external "uncontrollable" reset signal.

```
MODULE main
 VAR
   b0 : boolean;
   bl : boolean;
   reset : boolean;
                                            \mathbf{O}
   out : 0..3;
 ASSIGN
   init(b0) := 0;
   next(b0) := case
                  reset = 1 : 0;
                  reset = 0 : !b0;
                                                         2
                                            3
                esac;
   init(b1) := 0;
   next(b1) := case
                  reset : 0;
                        : ((!b0 & b1) | (b0 & !b1));
                  1
                esac;
   out := b0 + 2*b1;
```

ITC irst

#### Modules



An SMV program can consist of one or more *module declarations*.

| ma | in |    |  |
|----|----|----|--|
|    | m1 | m2 |  |
|    |    |    |  |

- Modules are instantiated in other modules. The instantiation is performed inside the VAR declaration of the parent module.
- In each SMV specification there must be a module main. It is the top-most module.
- All the variables declared in a module instance are visible in the module in which it has been instantiated via the dot notation (e.g., m1.out, m2.out).



### **Module parameters**







Formal parameters (in) are substituted with the actual parameters (m2.out, m1.out) when the module is instantiated.

- Actual parameters can be any legal expression.
- Actual parameters are passed by reference.



# Example: The modulo 8 counter revisited

```
MODULE counter cell(tick)
  VAR
    value : boolean;
    done : boolean;
  ASSIGN
    init(value) := 0;
    next(value) := case
      tick = 0 : value;
      tick = 1 : (value + 1) mod 2;
    esac;
    done := tick & (((value + 1) mod 2) = 0);
```

Remarks:

tick is the formal parameter of module counter\_cell.



# Example: The modulo 8 counter revisited

```
MODULE main
VAR
bit0 : counter_cell(1);
bit1 : counter_cell(bit0.done);
bit2 : counter_cell(bit1.done);
out : 0..7;
ASSIGN
out := bit0.value + 2*bit1.value + 4*bit2.value;
```

Remarks:

- Module counter\_cell is instantiated three times.
- In the instance bit0, the formal parameter tick is replaced with the actual parameter 1.
- When a module is instantiated, all variables/symbols defined in it are preceded by the module instance name, so that they are unique to the instance.



### **Module hierarchies**



- p. 24

A module can contain instances of others modules, that can contain

instances of other modules... provided the module references are not circular.

```
MODULE counter 8 (tick)
  VAR
    bit0 : counter_cell(tick);
    bit1 : counter_cell(bit0.done);
    bit2 : counter_cell(bit1.done);
    out : 0..7;
    done : boolean;
  ASSIGN
    out := bit0.value + 2*bit1.value + 4*bit2.value;
    done := bit2.done;
MODULE counter_512(tick) -- A counter modulo 512
  VAR
    b0 : counter_8(tick);
    b1 : counter_8(b0.done);
    b2 : counter_8(b1.done);
    out : 0..511;
 ASSTGN
    out := b0.out + 8*b1.out + 64*b2.out;
                    The NuSMV Model Checker--- Feb 8, 2004, IIT Delhi --- India
```

## **Specifications**



In the SMV language:

- Specifications can be added in any module of the program.
- Each property is verified separately.
- Different kinds of properties are allowed:
  - Properties on the reachable states
    - *invariants* (INVARSPEC)
  - Properties on the computation paths (*linear time* logics):
    - LTL (LTLSPEC)
  - Properties on the computation tree (branching time logics):

• CTL (SPEC)



#### **Invariant specifications**



Invariant properties are specified via the keyword INVARSPEC:

```
INVARSPEC <simple_expression>
```

☞ Example:

```
MODULE counter cell(tick)
MODULE counter 8(tick)
  VAR
    bit0 : counter_cell(tick);
    bit1 : counter_cell(bit0.done);
    bit2 : counter_cell(bit1.done);
    out : 0..7;
    done : boolean;
  ASSIGN
    out := bit0.value + 2*bit1.value + 4*bit2.value;
    done := bit2.done;
  INVARSPEC
```

done <-> (bit0.done & bit1.done & bit2.done)



## **LTL specifications**



```
TL properties are specified via the keyword LTLSPEC:
         LTLSPEC <ltl_expression>
  where <ltl_expression> can contain the following temporal operators:
          X _ F _ G _ U _
A state in which out = 3 is eventually reached.
      LTLSPEC F out = 3
Condition out = 0 holds until reset becomes false.
      LTLSPEC (out = 0) U (!reset)
Section Even time a state with out = 2 is reached, a state with out = 3 is
```

reached afterwards.

LTLSPEC G (out =  $2 \rightarrow F$  out = 3)



# **CTL properties**



SPEC <ctl\_expression>

where <ctl\_expression> can contain the following temporal operators:

| AX _ | AF _ | AG _ | A[ | U _] |
|------|------|------|----|------|
| EX _ | EF _ | EG _ | E[ | U _] |

```
It is possible to reach a state in which out = 3.
```

```
SPEC EF out = 3
```

```
    A state in which out = 3 is always reached.
```

```
SPEC AF out = 3
```

It is always possible to reach a state in which out = 3.
SPEC AG EF out = 3

Even time a state with out = 2 is reached, a state with out = 3 is reached afterwards.

```
SPEC AG (out = 2 \rightarrow AF out = 3)
```



The NuSMV Model Checker--- Feb 8, 2004, IIT Delhi --- India

#### **Fairness Constraints**



Let us consider again the counter with reset.

- The specification AF out = 1 is not verified.
- On the path where reset is always 1, then the system loops on a state where out = 0, since the counter is always reset:

```
reset = 1,1,1,1,1,1,1...
```

```
out = 0, 0, 0, 0, 0, 0, 0...
```

Similar considerations hold for the property AF out = 2. For instance, the sequence:

```
reset = 0, 1, 0, 1, 0, 1, 0...
```

generates the loop:

out = 0, 1, 0, 1, 0, 1, 0...

which is a counterexample to the given formula.



#### **Fairness Constraints**



- SuSMV allows to specify fairness constraints.
- Fairness constraints are formulas which are assumed to be true infinitely often in all the execution paths of interest.
- During the verification of properties, NuSMV considers path quantifiers to apply only to fair paths.
- Fairness constraints are specified as follows:

FAIRNESS <simple\_expression>



#### **Fairness Constraints**



With the fairness constraint

```
FAIRNESS
out = 1
```

we restrict our analysis to paths in which the property out = 1 is true infinitely often.

- The property AF out = 1 under this fairness constraint is now verified.
- The property AF out = 2 is still not verified.
- Adding the fairness constraint out = 2, then also the property
  AF out = 2 is verified.





- p. 32

In the following example, the values of variables out and done are defined by the values of the other variables in the model.

```
MODULE main
                       -- counter 8
VAR
  b0 : boolean;
  b1 : boolean;
  b2 : boolean;
  out : 0..8;
  done : boolean;
ASSIGN
  init(b0) := 0;
  init(b1) := 0;
  init(b2) := 0;
  next(b0) := !b0;
  next(b1) := (!b0 & b1) | (b0 & !b1);
  next(b2) := ((b0 \& b1) \& !b2) | (!(b0 \& b1) \& b2);
  out := b0 + 2*b1 + 4*b2;
  done := b0 & b1 & b2;
                  The NuSMV Model Checker--- Feb 8, 2004, IIT Delhi --- India
```

#### **The DEFINE declaration**



DEFINE declarations can be used to define *abbreviations*:

```
MODULE main -- counter_8
VAR
  b0 : boolean;
  b1 : boolean;
  b2 : boolean;
ASSIGN
  init(b0) := 0;
  init(b1) := 0;
  init(b2) := 0;
  next(b0) := !b0;
  next(b1) := (!b0 & b1) | (b0 & !b1);
  next(b2) := ((b0 \& b1) \& !b2) | (!(b0 \& b1) \& b2);
DEFINE
  out := b0 + 2*b1 + 4*b2;
  done := b0 \& b1 \& b2;
```



#### **The DEFINE declaration**



The syntax of DEFINE declarations is the following:

```
DEFINE <id> := <simple_expression> ;
```

- They are similar to macro definitions.
- No new state variable is created for defined symbols (hence, no added complexity to model checking).
- Each occurrence of a defined symbol is replaced with the body of the definition.







The SMV language provides also the possibility to define *arrays*.

VAR

- x : array 0..10 of boolean;
- y : array 2..4 of 0..10;
- z : array 0..10 of array 0..5 of {red, green, orange};

ASSIGN

```
init(x[5]) := 1;
init(y[2]) := {0,2,4,6,8,10};
init(z[3][2]) := {green, orange};
```

Remark: Array indexes in SMV must be constants.



# The constraint style of model specification

#### The following SMV program:

can be alternatively defined in a constraint style, as follows:

```
MODULE main
VAR request : boolean;
   state : {ready,busy};
INIT
   state = ready
TRANS
   (state = ready & request) -> next(state) = busy
```



# The constraint style of model specification

- The SMV language allows for specifying the model by defining constraints on:
  - the states:

INVAR <simple\_expression>

- the initial states:
  - INIT <simple\_expression>
- the transitions:

TRANS <next\_expression>

- There can be zero, one, or more constraints in each module, and constraints can be mixed with assignments.
- Any propositional formula is allowed in constraints.
- ✓ Very useful for writing translators from other languages to NuSMV.
- INVAR p is equivalent to INIT p and TRANS next(p), but is more efficient.
- Risk of defining inconsistent models (INIT p & !p).



# **Assignments versus constraints**



Any ASSIGN-based specification can be easily rewritten as an equivalent constraint-based specification:

```
ASSIGN
```

```
init(state) := {ready,busy};
next(state) := ready;
out := b0 + 2*b1;
```

```
INIT state in {ready,busy}
TRANS next(state) = ready
INVAR out = b0 + 2*b1
```

The converse is not true: constraint

cannot be easily rewritten in terms of ASSIGNS.



# **Assignments versus constraints**



Models written in assignment style:

- by construction, there is always at least one initial state;
- by construction, all states have at least one next state;
- *non-determinism is apparent* (unassigned variables, set assignments...).

#### Models written in constraint style:

- INIT constraints can be inconsistent:
  - inconsistent model: no initial state,
  - any specification (also SPEC 0) is vacuously true.
- **•** TRANS constraints can be inconsistent:
  - the transition relation is not total (there are deadlock states),
  - NuSMV detects and reports this case.
- In non-determinism is hidden in the constraints:
  TRANS (state = ready & request) -> next(state) = busy



# **Synchronous composition**

By default, composition of modules is synchronous: all modules move at each step.

```
MODULE cell(input)
VAR
val : {red, green, blue};
ASSIGN
next(val) := {val, input};
MODULE main
VAR
c1 : cell(c3.val);
c2 : cell(c1.val);
c3 : cell(c2.val);
```







#### **Synchronous composition**



A possible execution:

| step | c1.val | c2.val | c3.val |
|------|--------|--------|--------|
| 0    | red    | green  | blue   |
| 1    | red    | red    | green  |
| 2    | green  | red    | green  |
| 3    | green  | red    | green  |
| 4    | green  | red    | red    |
| 5    | red    | green  | red    |
| 6    | red    | red    | red    |
| 7    | red    | red    | red    |
| 8    | red    | red    | red    |
| 9    | red    | red    | red    |
| 10   |        | red    | red    |



The NuSMV Model Checker --- Feb 8, 2004, IIT Delhi --- India

# **Asynchronous composition**



- Asynchronous composition can be obtained using keyword process.
- In asynchronous composition one process moves at each step.
- Boolean variable running is defined in each process:
  - it is true when that process is selected;
  - it can be used to guarantee a fair scheduling of processes.

```
MODULE cell(input)
VAR
val : {red, green, blue};
ASSIGN
next(val) := {val, input};
FAIRNESS
running
MODULE main
```

VAR

- c1 : process cell(c3.val);
- c2 : process cell(c1.val);
- c3 : process cell(c2.val);



#### **Asynchronous composition**



A possible execution:

| step | running | c1.val | c2.val | c3.val |
|------|---------|--------|--------|--------|
| 0    | -       | red    | green  | blue   |
| 1    | c2      | red    | red    | blue   |
| 2    | c1      | blue   | red    | blue   |
| 3    | c1      | blue   | red    | blue   |
| 4    | c2      | blue   | red    | blue   |
| 5    | c3      | blue   | red    | red    |
| 6    | c2      | blue   | blue   | red    |
| 7    | c1      | blue   | blue   | red    |
| 8    | c1      | red    | blue   | red    |
| 9    | c3      | red    | blue   | blue   |
| 10   |         | red    |        | blue   |



The NuSMV Model Checker—- Feb 8, 2004, IIT Delhi — India

#### **NuSMV resources**



NuSMV home page:

> http://nusmv.irst.itc.it/

Mailing lists:

- nusmv-users@irst.itc.it (public discussions)
- Inusmv-announce@irst.itc.it (announces of new releases)
- nusmv@irst.itc.it (the development team)
- fo subscribe: http://nusmv.irst.itc.it/mail.html

Course notes and slides:

http://nusmv.irst.itc.it/courses/

