### NuSMV: Property Specification \*

Alessandra Giordani agiordani@disi.unitn.it http://disi.unitn.it/~agiordani

Formal Methods Lab Class, April 15, 2014



Università degli Studi di Trento

<sup>\*</sup>These slides are derived from those by Stefano Tonetta, Alberto Griggio, Silvia Tomasi, Thi Thieu Hoa Le for FM lab 2011/13

#### **Contents**

- Property Specification
  - Invariants
  - CTL
  - Fairness
  - LTL

# Specifications

#### In the SMV language:

- Specifications can be added in any module of the program
- Specifications, both the ones in the program, and the ones entered through the NuSMV interactive shell, are collected into an internal database
- Each property is verified separately
- The result of a property verification is either "true" or "false". In the latter case, a counterexample is generated
  - the generation of a counterexample is not possible for all CTL properties: e.g., temporal operators corresponding to existential path quantifiers cannot be proved false by showing a single execution path

# Specifications

- Different kinds of properties are supported:
  - properties on the reachable states (propositional formulas which must hold invariantly in the model)
    - invariants (INVARSPEC)
  - properties on the computation tree (branching time temporal logics):
    - CTL (CTLSPEC)
  - properties on the computation paths (linear time temporal logics):
    - LTL (LTLSPEC)

#### Invariant specifications

- Invariant properties are specified via the keyword INVARSPEC: INVARSPEC <simple\_expression>
- Invariants are checked via the check\_invar command

#### An example: the modulo 4 counter with reset

```
MODULE main
                   -- counter4 reset.smv
VAR b0 : boolean;
    b1 : boolean;
    reset : boolean;
ASSIGN
  init(b0) := FALSE;
 next(b0) := case reset : FALSE;
                    !reset : !b0:
              esac;
  init(b1) := FALSE;
 next(b1) := case reset : FALSE;
                    TRUE : ((!b0 & b1) | (b0 & !b1)):
              esac:
DEFINE out := toint(b0) + 2*toint(b1):
```

INVARSPEC out < 2

# An example: the modulo 4 counter with reset



#### Invariant specifications

#### The invariant is false

```
NuSMV > check invar
-- invariant out < 2 is false
-- as demonstrated by the following execution sequence
Trace Description: AG alpha Counterexample
Trace Type: Counterexample
-> State: 1.1 <-
  b0 = FALSE
 b1 = FALSE
 reset = FALSE
  out. = 0
-> State: 1.2 <-
  b0 = TRUE
 out = 1
-> State: 1.3 <-
  b0 = FLASE
 b1 = TRUE
  out = 2
N11SMV >
```

• CTL properties are specified via the keyword CTLSPEC:

```
CTLSPEC <ctl_expression>
```

where <ctl\_expression> can contain the following temporal operators:

CTL properties are checked via the check\_ctlspec command



Examples of specifications:

#### Examples of specifications:

• It is possible to reach a state in which out = 3

#### Examples of specifications:

It is possible to reach a state in which out = 3
 CTLSPEC EF out = 3

#### Examples of specifications:

It is possible to reach a state in which out = 3
 CTLSPEC EF out = 3

It is inevitable that out = 3 is eventually reached

#### Examples of specifications:

It is possible to reach a state in which out = 3
 CTLSPEC EF out = 3

• It is inevitable that out = 3 is eventually reached CTLSPEC AF out = 3

#### Examples of specifications:

- It is possible to reach a state in which out = 3
   CTLSPEC EF out = 3
- It is inevitable that out = 3 is eventually reached
   CTLSPEC AF out = 3
- It is always possible to reach a state in which out = 3

#### Examples of specifications:

- It is possible to reach a state in which out = 3
   CTLSPEC EF out = 3
- It is inevitable that out = 3 is eventually reached
   CTLSPEC AF out = 3
- It is always possible to reach a state in which out = 3
   CTLSPEC AG EF out = 3

#### Examples of specifications:

It is possible to reach a state in which out = 3
 CTLSPEC EF out = 3

It is inevitable that out = 3 is eventually reached
 CTLSPEC AF out = 3

- It is always possible to reach a state in which out = 3
   CTLSPEC AG EF out = 3
- Every time a state with out = 2 is reached, a state with out = 3 is reached afterward

#### Examples of specifications:

- It is possible to reach a state in which out = 3
  - CTLSPEC EF out = 3
- It is inevitable that out = 3 is eventually reached
  - CTLSPEC AF out = 3
- It is always possible to reach a state in which out = 3
  - CTLSPEC AG EF out = 3
- Every time a state with out = 2 is reached, a state with out = 3 is reached afterward
  - CTLSPEC AG (out = 2 -> AF out = 3)

#### Examples of specifications:

- It is possible to reach a state in which out = 3
  - CTLSPEC EF out = 3
- It is inevitable that out = 3 is eventually reached
  - CTLSPEC AF out = 3
- It is always possible to reach a state in which out = 3
  - CTLSPEC AG EF out = 3
- Every time a state with out = 2 is reached, a state with out = 3 is reached afterward
  - CTLSPEC AG (out = 2 -> AF out = 3)
- The reset operation is correct

#### Examples of specifications:

• It is possible to reach a state in which out = 3

```
CTLSPEC EF out = 3
```

It is inevitable that out = 3 is eventually reached

• It is always possible to reach a state in which out = 3

```
CTLSPEC AG EF out = 3
```

 Every time a state with out = 2 is reached, a state with out = 3 is reached afterward

```
CTLSPEC AG (out = 2 -> AF out = 3)
```

The reset operation is correct



#### The need for Fairness Constraints

Let us consider again the counter with reset

- The specification AF out = 1 is not verified
- On the path where reset is always 1, the system loops on a state where out = 0, since the counter is always reset:

 Similar considerations hold for the property AF out = 2. For instance, the sequence

generates the loop

out = 
$$0,1,0,1,0,1...$$

which is a counterexample to the given formula



#### Fairness Constraints

- It is desirable that certain conditions hold infinitely often
  - AGAF p is a fairness property
- Fairness conditions are used to eliminate behaviours in which a certain condition p never holds (i.e. ¬ EFEG ¬p)
- NuSMV supports both justice and compassion fairness constraints
  - JUSTICE/FAIRNESS p consider only the executions that satisfy infinitely often the condition
  - COMPASSION (p,q)
     consider only the executions that either satisfy p finitely often or satisfy
     q infinitely often (i.e. p true infinitely often ⇒ q true infinitely often)

#### Remark:

 Currently, compassion constraints have some limitations (are supported only for BDD-based LTL model checking).

#### Fairness Constraints

Let us consider again the counter with reset. Let us add the following fairness constraint:

```
JUSTICE out = 3
```

(we restrict to paths in which the counter reaches the value 3 infinitely often)

The following properties are now verified:

```
NuSMV > check_ctlspec
-- specification EF out = 3 is true
-- specification AF out = 3 is true
-- specification AG EF out = 3 is true
-- specification AG (out = 2 -> AF out = 3) is true
```

We want to add a request operation to our adder, with the following semantics: every time a request is issued, the adder starts computing the sum of its operands. When finished, it stores the result in sum, setting done to true.

```
MODULE bit-adder(req, in1, in2, cin)
VAR.
  sum: boolean; cout: boolean; ack: boolean;
ASSIGN
  init(ack) := FALSE;
  next(sum) := (in1 xor in2) xor cin;
  next(cout) := (in1 & in2) | ((in1 | in2) & cin);
  next(ack) := case
      req: TRUE;
      !req: FALSE;
    esac;
```

```
MODULE adder(req, in1, in2)
VAR.
  bit[0]: bit-adder(
    req, in1[0], in2[0], FALSE);
  bit[1]: bit-adder(
    bit[0].ack, in1[1], in2[1],
    bit[0].cout):
  bit[2]: bit-adder(...);
  bit[3]: bit-adder(...);
DEFINE.
  sum[0] := bit[0].sum;
  sum[1] := bit[1].sum;
  sum[2] := bit[2].sum;
  sum[3] := bit[3].sum;
  overflow := bit[3].cout;
  ack := bit[3].ack;
```

```
MODULE main
VAR.
  req: boolean;
  a: adder(req, in1, in2);
ASSIGN
  init(req) := FALSE;
  next(req) :=
    case
      !req : {FALSE, TRUE};
      req:
        case
          a.ack : FALSE;
          TRUE: req;
        esac:
    esac:
```

 Every time a request is issued, the adder will compute the sum of its operands

 Every time a request is issued, the adder will compute the sum of its operands

```
CTLSPEC AG (req -> AF sum = op1 + op2);
```

 Every time a request is issued, the adder will compute the sum of its operands

```
CTLSPEC AG (req -> AF sum = op1 + op2);
CTLSPEC AG (req -> AF (done & sum = op1 + op2));
```

 Every time a request is issued, the adder will compute the sum of its operands

```
CTLSPEC AG (req -> AF sum = op1 + op2);
CTLSPEC AG (req -> AF (done & sum = op1 + op2));
```

 Every time a request is issued, the request holds untill the adder will compute the sum of its operands and set done to true

 Every time a request is issued, the adder will compute the sum of its operands

```
CTLSPEC AG (req -> AF sum = op1 + op2);
CTLSPEC AG (req -> AF (done & sum = op1 + op2));
```

 Every time a request is issued, the request holds untill the adder will compute the sum of its operands and set done to true

```
CTLSPEC AG (req -> A[req U (done & (sum = op1 + op2))]);
```

```
NuSMV > check_ctlspec -p "AG (req -> AF sum = op1 + op2)" -- specification AG (req -> AF sum = op1 + op2) is false -- as demonstrated by the following execution sequence [...]
```

```
NuSMV > check_ctlspec -p "AG (req -> AF sum = op1 + op2)" -- specification AG (req -> AF sum = op1 + op2) is false -- as demonstrated by the following execution sequence [...]
```

# Fixed: ASSIGN next(req) := case !req: case !a.ack: {FALSE, TRUE}; TRUE: req; esac:

```
req:
    case
    a.ack : FALSE;
    TRUE: req;
    esac;
esac;
```

#### The simple mutex example

```
MODULE user(semaphore)
VAR.
  state : { idle, entering, critical, exiting };
ASSIGN
  init(state) := idle;
  next(state) :=
    case
      state = idle : { idle, entering };
      state = entering & !semaphore : critical;
      state = critical : { critical, exiting };
      state = exiting : idle;
      TRUE : state:
    esac;
  next(semaphore) :=
    case
      state = entering : TRUE;
      state = exiting : FALSE;
      TRUE : semaphore;
    esac:
FATRNESS
  running
```

## The simple mutex example

```
MODULE main

VAR

semaphore : boolean;

proc1 : process user(semaphore);

proc2 : process user(semaphore);

ASSIGN

init(semaphore) := FALSE;

• two processes are never in the critical section at the same time
```

# The simple mutex example

```
MODULE main

VAR

semaphore : boolean;

proc1 : process user(semaphore);

proc2 : process user(semaphore);

ASSIGN

init(semaphore) := FALSE;

• two processes are never in the critical section at the same time

CTLSPEC AG !(proc1.state = critical & proc2.state = critical); -- safety
```

```
MODULE main
VAR
  semaphore : boolean;
  proc1 : process user(semaphore);
  proc2 : process user(semaphore);
ASSIGN
  init(semaphore) := FALSE;
```

- two processes are never in the critical section at the same time
   CTLSPEC AG !(proc1.state = critical & proc2.state = critical); -- safety
- whenever a process is entering the critical section then sooner or later it will be in the critical section

```
MODULE main
VAR
  semaphore : boolean;
  proc1 : process user(semaphore);
  proc2 : process user(semaphore);
ASSIGN
  init(semaphore) := FALSE;
```

- two processes are never in the critical section at the same time
   CTLSPEC AG !(proc1.state = critical & proc2.state = critical); -- safety
- whenever a process is entering the critical section then sooner or later it will be in the critical section

```
CTLSPEC AG (proc1.state = entering -> AF proc1.state = critical); -- liveness
```

```
MODULE main
VAR.
  semaphore : boolean;
  proc1 : process user(semaphore);
  proc2 : process user(semaphore);
ASSIGN
  init(semaphore) := FALSE;
  • two processes are never in the critical section at the same time
     CTLSPEC AG !(proc1.state = critical & proc2.state = critical); -- safety

    whenever a process is entering the critical section then sooner or later it will be in the

     critical section
     CTLSPEC AG (proc1.state = entering -> AF proc1.state = critical); -- liveness
NuSMV > check_ctlspec -n 0
-- specification AG !(proc1.state = critical & proc2.state = critical) is true
```

MODULE main

```
VAR.
  semaphore : boolean;
  proc1 : process user(semaphore);
  proc2 : process user(semaphore);
ASSIGN
  init(semaphore) := FALSE;
  • two processes are never in the critical section at the same time
     CTLSPEC AG !(proc1.state = critical & proc2.state = critical); -- safety

    whenever a process is entering the critical section then sooner or later it will be in the

     critical section
     CTLSPEC AG (proc1.state = entering -> AF proc1.state = critical); -- liveness
NuSMV > check_ctlspec -n 0
-- specification AG !(proc1.state = critical & proc2.state = critical) is true
NuSMV > check_ctlspec -n 1
-- specification AG (proc1.state = entering -> AF proc1.state = critical) is false
-- as demonstrated by the following execution sequence
                                                     (D) (A) (B) (B) (A)
Γ...1
                                                                             20 / 30
```

```
MODULE mutex(turn, other_non_idle, id)
VAR.
   state: {idle, waiting, critical};
ASSIGN
   init(state) := idle:
  next(state) :=
      case
         state=idle: {idle, waiting};
         state=waiting & (!other_non_idle|turn=id): critical;
         state=waiting: waiting;
         state=critical: idle:
      esac;
  next(turn) :=
      case
         next(state) = idle : !id;
         next(state) = critical : id;
         TRUE : turn;
      esac;
DEFINE
  non_idle := state in {waiting, critical};
FATRNESS
  running
```

```
MODULE main
VAR.
   turn: boolean;
  p0: process mutex(turn,p1.non_idle,FALSE);
  p1: process mutex(turn,p0.non_idle,TRUE);
NuSMV > NuSMV mutex.smv
-- specification AG (!(p0.state = critical &
                       p1.state = critical)) is true
-- specification AG (p0.state = waiting ->
                     AF p0.state = critical) is true
```

```
If we change the line
 state=critical: idle;
with
 state=critical: {critical. idle}:
the second property becomes false:
NuSMV> NuSMV mutex.smv
-- specification AG (!(p0.state = critical & p1.state = critical)) is true
-- specification AG (p0.state = waiting -> AF p0.state = critical) is false
```

To avoid the process staying in the critical session forever, we can add the fairness constraint:

FAIRNESS state=idle

*Is this restriction too strong?* 

```
By keeping this constraint and changing the line
state=waiting & (!other_non_idle|turn=id): critical;
with
state=waiting & (!other_non_idle): critical;
we get
NuSMV> NuSMV mutex_flaw.smv
-- specification AG (!(p0.state = critical & p1.state = critical)) is true
-- specification AG (p0.state = waiting -> AF p0.state = critical) is true
-- specification EF (p0.state = waiting & p1.state = waiting) is false
```

By keeping this constraint and changing the line state=waiting & (!other\_non\_idle|turn=id): critical; with state=waiting & (!other\_non\_idle): critical; we get NuSMV> NuSMV mutex\_flaw.smv -- specification AG (!(p0.state = critical & p1.state = critical)) is true -- specification AG (p0.state = waiting -> AF p0.state = critical) is true -- specification EF (p0.state = waiting & p1.state = waiting) is false

What happens? If both processes reach the waiting state, they reach a deadlock. This prevents the fulfillment of the fairness condition. Thus, in a fair path, the state p0.state = waiting & p1.state = waiting is forbidden.

LTL properties are specified via the keyword LTLSPEC:
 LTLSPEC <1tl\_expression>
 where <1tl\_expression> can contain the following temporal operators:

LTL properties are checked via the check\_ltlspec command









Examples of specifications:

#### Examples of specifications:

• A state in which out = 3 is eventually reached

#### Examples of specifications:

• A state in which out = 3 is eventually reached

```
LTLSPEC F out = 3
```

#### Examples of specifications:

• A state in which out = 3 is eventually reached

```
LTLSPEC F out = 3
```

• Condition out = 0 holds until reset becomes false

#### Examples of specifications:

• A state in which out = 3 is eventually reached

```
LTLSPEC F out = 3
```

• Condition out = 0 holds until reset becomes false

```
LTLSPEC (out = 0) U (!reset)
```

#### Examples of specifications:

• A state in which out = 3 is eventually reached

```
LTLSPEC F out = 3
```

• Condition out = 0 holds until reset becomes false

```
LTLSPEC (out = 0) U (!reset)
```

 Every time a state with out = 2 is reached, a state with out = 3 is reached afterward

#### Examples of specifications:

A state in which out = 3 is eventually reached

```
LTLSPEC F out = 3
```

• Condition out = 0 holds until reset becomes false

```
LTLSPEC (out = 0) U (!reset)
```

 Every time a state with out = 2 is reached, a state with out = 3 is reached afterward

```
LTLSPEC G (out = 2 \rightarrow F out = 3)
```

All the previous specifications are false:

```
NuSMV > check_ltlspec
-- specification F out = 3 is false ...
-- loop starts here --
-> State 1.1 <-
   b0 = FALSE
   b1 = FALSE
   reset = TRUE
   out = 0
-> State 1.2 <-
-- specification (out = 0 U (!reset)) is false ...
-- loop starts here --
-> State 2.1 <-
   b0 = FALSE
   b1 = FALSE
   reset = TRUE
   011t = 0
-> State 2.2 <-
-- specification G (out = 2 -> F out = 3) is false ...
```

### The property database

 All properties are collected into an internal database, which can be visualized via the show\_property command:

Every property can be accessed through its database index