

# Advanced Software Engineering Introduction to Model Checking

JUNBEOM YOO KONKUK University





### Text

B. Bérard • M. Bidoit • A. Finkel • F. Laroussinie A. Petit • L. Petrucci • Ph. Schnoebeien with P. McKenzie



# Systems and Software Verification

Model-Checking Techniques and Tools

Springer

DEPENDABLE SOFTWARE LABORATORY

- Automata
- Temporal Logic
- Model Checking
- Property Patterns

# **FORMAL VERIFICATION : BASIC**

# 1. Automata



### 1. Automata

- Model checking consists in verifying some properties of the model of a system.
  - Modeling of a system is difficult.
    - No universal method exists to model a system.
    - Best performed by qualified engineers
- This chapter describes a general model which serves as a basis.
- Organization
  - Introductory Examples
  - A Few Definitions
  - A Printer Manager
  - A Few More Variables
  - Synchronized Product
  - Synchronization with Messaging Passing
  - Synchronization by Shared Variables





## **1.1 Introductory Examples**

#### • (Finite) Automata

- A machine evolving from one state to another under the action of transitions
- Graphical representation
- Best suited for verification by model checking techniques



An automate model of a digital watch (24x60=1440 states)







A<sub>c3</sub> : a modulo 3 counter



7



- A digicode door lock example
  - Controls the opening of office doors
  - The door opens upon the keying in of the correct character sequence, irrespective of any possible incorrect initial attempts.
  - Assumptions:
    - 3 keys A, B, and C
    - Correct key sequence : ABA







- Two fundamental notations
  - execution
    - A sequence of states describing one possible evolution of the system
    - Ex. 1121 , 12234 , 112312234 ← 3 different executions
  - execution tree
    - A set of all possible executions of the system in the form of a tree
    - Ex. 1

```
11, 12
111, 112, 121, 122, 123
1111, 1112, 1121, 1122, 1123, 1211, 1212, 1221, 1222, 1223, 1231,1234
...
```





- We now associate each <u>automaton state</u> with a number of <u>elementary</u> <u>properties</u> which we know they are satisfies.
  - Since our goal is to verify system model properties.

#### • Properties

- Elementary property
  - (atomic) Proposition
  - Associated with each state
  - True or False in a given state
- Complicated property
  - Expressed using elementary properties
  - Depends on the logic we use







- For example,
  - $P_A$ : an A has just been keyed in
  - $P_B$ : an *B* has just been keyed in
  - $P_C$ : an C has just been keyed in
  - $pred_2$ : the proceeding state in an execution is 2
  - $pred_3$ : the proceeding state in an execution is 3
  - Properties of the system to verify
    - 1. If the door opens, then A, B, A were the last three letters keyed in, in that order.
    - 2. Keying in any sequence of letters ending in ABA opens the door.
  - Let's prove the properties with the propositions







## **1.2 A Few Definition**

- An automaton is a tuple  $A = \langle Q, E, T, q_0, l \rangle$  in which
  - Q : a finite set of states
  - E : the finite set of transition labels
  - $T \subseteq Q \ x \ E \ x \ Q$ : the set of transitions
  - $q_o$ : the initial state of the automaton
  - -l: the mapping each state with associated sets of properties which hold in it
    - *Prop* = {*P*1, *P*2, ... } : a set of elementary propositions









- Formal definitions of automaton's behavior
  - a *path* of automaton A :
    - A sequence  $\sigma$ , finite or infinite, of transitions which follows each other
    - $\text{Ex.3} \xrightarrow{B} 1 \xrightarrow{A} 2 \xrightarrow{A} 2$
  - a *length* of a path  $\sigma$ :
    - $|\sigma|$
    - $\sigma$  's potentially infinite number of transitions:  $|\sigma| \in N \cup \{\omega\}$
  - a *partial execution* of A :
    - A path starting from the initial state  $q_0$
    - Ex.1  $\xrightarrow{A}$  2  $\xrightarrow{A}$  2  $\xrightarrow{B}$  3
  - a complete execution of A :
    - An execution which is maximal.
    - Infinite or deadlock

#### - a reachable state :

- A state is said to be reachable,
  - If a state appears in the execution tree of the automaton
  - If there exists at least one execution in which it appears







### **1.3 Printer Manager**





$$\begin{split} A &= \langle Q, E, T, q_o, l \rangle \\ &- Q = \{0, 1, 2, 3, 4, 5, 6, 7\} \\ &- E = \{\text{req}_A, \text{req}_B, \text{beg}_{A'}, \text{beg}_B, \text{end}_{A'}, \text{end}_B\} \\ &- T = \{ (0, \text{req}_{A'}1), (0, \text{req}_{B'}2), (1, \text{req}_B, 3), (1, \text{beg}_A, 6), (2, \text{req}_A, 3), \\ (2, \text{beg}_B, 7), (3, \text{beg}_A, 5), (3, \text{beg}_B, 4), (4, \text{end}_B, 1), (5, \text{end}_A, 2), \\ (6, \text{end}_A, 0), (6, \text{req}_B, 5), (7, \text{end}_B, 0), (7, \text{req}_A, 4) \} \\ &- q_o = 0 \\ \\ &- l = \begin{cases} 0 \rightarrow \{R_{A'}, R_B\}, & 1 \rightarrow \{W_{A'}, R_B\} \\ 2 \rightarrow \{R_{A'}, W_B\}, & 3 \rightarrow \{W_{A'}, W_B\} \\ 4 \rightarrow \{W_{A'}, P_B\}, & 5 \rightarrow \{P_{A'}, W_B\} \\ 6 \rightarrow \{P_{A'}, R_B\}, & 7 \rightarrow \{R_{A'}, P_B\} \end{cases} \end{split}$$







- **Properties** of the printer manager to verify
  - 1. We would undoubtedly wish to prove that any printing operation is preceded by a print request.
    - In any execution, any state in which P<sub>A</sub> holds is preceded by a state in which the proposition W<sub>A</sub> holds.
  - 2. Similarly, we would like to check that any print request is ultimately satisfied.  $(\rightarrow \text{ fairness property})$ 
    - In any execution, any state in which W<sub>A</sub> holds is followed by a state in which the proposition P<sub>A</sub> holds.
- Model checking techniques allow us to prove automatically
  - Property 1 is TRUE.
  - Property 2 is FALSE,
    - A counterexample : 0 1 3 4 1 3 4 1 3 4 1 3 4 1 ...





### **1.4 Few More Variables**

- It is often convenient to let automata manipulate state variables.
  - Control : states + transitions
  - Data : variables (assumes finite number of values)
- An automaton interacts with variables in two ways:
  - Assignments
  - Guards (guarding conditions)







The digicode with guarded transitions





- It is often necessary, in order to apply model checking methods,
  - to *unfold* the behaviors of an automaton with variables
  - into a state graph
  - in which the possible transitions appear, and the configurations are clear marked.

- Unfolded automaton = Transition system
  - has <u>global states</u>
  - transitions are <u>no longer guarded</u>
  - <u>no assignments</u> on the transitions







KU KONKUK UNIVERSITY



### **1.5 Synchronized Product**

- Real-life programs or systems are often composed of **modules** or subsystems.
  - − Modules/Components  $\rightarrow$  (composition)  $\rightarrow$  Overall system
  - Component automata  $\rightarrow$  (synchronization)  $\rightarrow$  Global automaton
- Automata for an overall system often has so many global states.
  - Impossible to construct it directly (State explosion problem)
  - We need to construct it with small component automata.
    - Two composition ways
      - With synchronization (= Synchronized product)
      - Without synchronization (= Cartesian product)





- An example without synchronization ۲
  - A system made up of three counters (modulo 2, 3, 4)
  - They do not interact with each other. —

LABORATORY

Global automaton = Cartesian product of three independent automata





- An example <u>with synchronization</u>
  - There are a number of ways depending on the nature of the problem.
  - Ex. Allowing only "inc, inc, inc" and "dec, dec, dec" (24\*2=48 transitions)
  - Ex. Allowing updates in only one counter at a time (24\*3\*2=144 transitions)

#### Synchronized product

- A way to formally express synchronizing options
- Synchronized product = Component automata + Synchronized set
- $A_1 \times A_2 \times \ldots \times A_n$  : Component automata

$$- A = \langle Q, E, T, q_{0}, I \rangle \\
- Q = Q_{1} \times Q_{2} \times ... \times Q_{n} \\
- E = \prod_{1 \le i \le n} (E_{i} \cup \{-\}) \\
- T = \left\{ \begin{array}{l} ((q_{1}, ..., q_{n}), (e_{1}, ..., e_{n}), (q'_{1}, ..., q'_{n})) \mid \text{ for all } i, \\
(e_{i} = `-` \text{ and } q'_{i} = q_{i}) \text{ or } (e_{i} \neq `-` \text{ and } (q_{i}, e_{i}, q'_{i}) \in T_{i}) \end{array} \right\} \\
- q_{0} = (q_{0,1}, ..., q_{0,n}) \\
- I((q_{1}, ..., q_{n})) = \bigcup_{1 \le i \le n} l_{i}(q_{i})$$

- Sync  $\subseteq \prod_{1 \le i \le n} (E_i \cup \{-\})$  : Synchronized set



#### • An example <u>with synchronization</u>

- Allowing only "inc, inc, inc" and "dec, dec, dec" (24\*2=48 transitions)
   → Strongly coupled version of modular counters
- Sync = { (inc, inc, inc), (dec, dec, dec) }

$$- T = \begin{cases} ((q_1, \dots, q_n), (e_1, \dots, e_n), (q'_1, \dots, q'_n)) \mid (e_1, \dots, e_n) \in Sync \\ (e_i = `-` and q'_i = q_i) \text{ or } (e_i \neq `-` and (q_i, e_i, q'_i) \in T_i) \end{cases}$$



12 states

24 transitions (inc, inc, inc) (dec, dec, dec)



#### Reachable states

Reachability depends on the synchronization constraints



#### Reachability graph

- Obtained by deleting non-reachable states
- Many tools to construct R.G. of synchronized product of automata
- Reachability is a difficult problem.
  - State explosion problem







## **1.6 Synchronization with Message Passing**

- Message passing framework
  - A special case of synchronized product
  - **!m** : Emitting a message
  - **?m** : Reception of the message
  - Only the transition in which !m and ?m pairs are executed simultaneously is permitted.
  - Synchronous communication
    - Control/command system
  - Asynchronous communication
    - Communication protocol (using channel/buffer)





#### • Smallish elevator

- Synchronous communication (message passing)
- One cabin
- Three doors (one per floor)
- One controller
- No request from the three floors





The *i*<sup>th</sup> door









- An automaton for the smallish elevator example
  - Obtained as the synchronized product of the 5 automata
  - (door 0, door 1, door 2, cabin, controller)

```
- Sync = { (?open_0, -, -, -, !open_0), (?close_0, -, -, -, !close_0),
(-, ?open_1, -, -, !open_1), (-, ?close_1, -, -, !close_1),
(-, -, ?open_2, -, !open_2), (-, -, ?close_2, -, !clsoe_2),
(-, -, -, ?down, !down), (-, -, -, ?up, !up) }
```

#### • **Properties** to check

- (P1) The door on a given floor cannot open while the cabin is on a different floor.
- (P2) The cabin cannot move while one of the door is open.
- Model checker
  - Can build the synchronized product of the 5 automata.
  - Can check automatically whether properties hold or not.





## **1.7 Synchronization by Shared Variables**

- Another way to have components communicate with each other
  - Share a certain number of variables
  - Allow variables to be **shared** by several automata
  - Ex. The printer manager in Chapter 1.3
    - Problem: Fairness property is not satisfied.





- The printer manager synchronized with a shared variable
  - Shared variable: turn
- Fairness property: "Any print request is ultimately satisfied."
  - No state of the form (y, t, -) is reachable.
  - TRUE in the model
  - But this model forbids either user from printing twice in a row.







- Printer manager : A complete version with 3 variables [by Peterson]
  - $\mathbf{r}_{A}$ : a request from user A
  - **r**<sub>B</sub> : a request from user B
  - turn : to settle conflicts
  - Satisfies all our properties.



$$A_{A_{XB}} = \langle Q, E, T, q_{O}, l \rangle$$
  
- 
$$Q = A \times B \times r_{A} \times r_{B} \times turn$$
  
$$4 \times 4 \times 2 \times 2 \times 2 = 128 \text{ states (only 128 reachable states)}$$





# 2. Temporal Logic



## 2. Temporal Logic

- Motivation:
  - The elevator example includes two properties
    - "Any elevator request must ultimately be satisfied."
    - "The elevator never traverses a floor for which a request is pending without satisfying this request."
    - $\rightarrow$  Dynamic behavior
  - In a first order logic,

• 
$$\forall t, \forall n (app(n, t) \Rightarrow \exists t' > t : serv(n, t'))$$
  
•  $\forall t, \forall t' > t, \forall n, \begin{bmatrix} (app(n, t) \land H(t') \neq n \land \exists t_{trav} : \\ t \leq t_{trav} \leq t' \land H(t_{trav}) = n) \\ \Rightarrow (\exists t_{serv} : t \leq t_{serv} \leq t' \land serv(n, t_{serv})) \end{bmatrix}$ 

- But, the above notation (mathematics) is quite cumbersome.
- **Temporal Logic** is a different formalism, better suited for our situation.





## 2. Temporal Logic

#### Temporal Logic

- A form of logic specifically tailored for statements and reasoning
  - involving the notion of order in time
- Compared with the mathematical formulas
  - clearer and simpler
  - immediately ready for use (linguistic similarity of operators)
  - formal semantics (specification language tools)

- Organization
  - The Language of Temporal Logic
  - The Formal Syntax of Temporal Logic
  - The Semantics of Temporal Logic
  - PLTL and CTL: Two Temporal Logics
  - The Expressivity of CTL\*





# 2.1 The Language of Temporal Logic

- CTL\*
  - serves to formally state the properties concerned with the execution of a system
  - variants (CTL, PLTL, LTL)
  - 6 characteristics

#### **1. Atomic Propositions**

- warm, ok, error

#### 2. Proposition Formula

- using Boolean combinators
- true, false,  $\neg$ ,  $\lor$ ,  $\land$ ,  $\Rightarrow$  (if then),  $\Leftrightarrow$  (if and only if)

q<sub>0</sub> warm ok q<sub>1</sub> ok q<sub>2</sub> error

error ⇒ ¬ warm
 (if error then not warm)

 $\begin{aligned} \sigma_1 &: (q_0: warm, ok) \rightarrow (q_1: ok) \rightarrow (q_0: warm, ok) \rightarrow (q_1: ok) \rightarrow ... \\ \sigma_2 &: (q_0: warm, ok) \rightarrow (q_1: ok) \rightarrow (q_2: error) \rightarrow (q_0: warm, ok) \rightarrow (q_1: ok) \rightarrow ... \\ \sigma_3 &: (q_0: warm, ok) \rightarrow (q_1: ok) \rightarrow (q_2: error) \rightarrow (q_2: error) \rightarrow (q_2: error) \rightarrow ... \end{aligned}$ 





#### 3. Temporal combinators

- about the sequencing of states along an execution
- X : next state
- F : a future state

- $\sigma_2 : (q_0: warm, ok) \rightarrow (q_1: ok) \rightarrow (q_2: error) \rightarrow (q_0: warm, ok) \rightarrow (q_1: ok) \rightarrow \dots$
- G : all the future states
- X P : the next state satisfies P
- F P : a future state satisfies P without specifying which state
   → P will hold some day (at least once)
- G P : all future states will satisfy P
   → P will always be
- $alert \Rightarrow F halt$  : if we are currently in a state of *alert*, then we will later be in a *halt* state.
- G (*alert* ⇒ F *halt*) : at any time, a state of *alert* will necessarily be followed by a *halt* state later.
- G (warm  $\Rightarrow$  F  $\neg$ warm ) : true
- G (warm  $\Rightarrow$  X  $\neg$ warm ) : true
- G is the dual of F
  - G  $\phi \equiv \neg F \neg \phi$







#### 4. Arbitrary nesting of temporal combinators

- giving temporal logic its power and strength
- GF  $\phi$ : always there will some day be a state such that  $\phi$ ,  $\phi$  is satisfied infinitely often along the execution considered
- FG  $\phi$  : all the time from a certain time onward, at each time instant, possibly excluding a finite number of instants
- GF warm  $\lor$  FG error



#### 5. U combinator

• for until

٠

- $\phi_1 \cup \phi_2 : \phi_1$  is verified until  $\phi_2$  is verified  $\phi_2$  will be verified some day, and  $\phi_1$  will hold in the meantime
- G  $(alert \Rightarrow (alarm \cup halt))$ : starting from a state of alert, the alarm remains activated until the halt state is eventually and inexorably reached.
- F  $\phi$  = true U  $\phi$
- $\phi_1 W \phi_2 \equiv (\phi_1 U \phi_2) \vee G \phi_1$  : weak until





#### 6. Path quantifier

- A  $\phi$  : all the executions out of the current state satisfy property  $\phi$
- E  $\phi$  : from the current state, there exists an execution satisfying  $\phi$
- EF *P* : it is possible (by following a suitable execution) to have *P* some day
- EG P: there exists an execution along which P always holds
- AF *P* : we will necessarily have *P* some day (regardless of the chosen execution)
- AG P: always true







# 2.2 Formal Syntax of Temporal Logic

- Abstract grammar
  - needs parentheses, operator priority, specific set of atomic propositions, etc.
  - Most model checkers use a fragment of CTL\* CTL or LTL.

$$- \phi, \Psi ::= P1 | P2 | ...| \neg \phi | \phi \land \Psi | \phi \Rightarrow \Psi | ...| X\phi | F\phi | G\phi | \phi U\Psi | ...| E\phi | A\phi$$

(atomic proposition)(boolean combinators)(temporal combinators)(path quantifiers)





# **2.3 The Semantics of Temporal Logic**

#### Kripke structure

- Name of the models of temporal logic
- Propositions labeling the states are important in CTL\*
- Transition labels (*E*) are neglected.  $A = \langle Q, T, q_o, l \rangle$ ,  $T \subseteq Q \times Q$

#### Satisfaction

- A, $\sigma$ ,i  $\ddagger \phi$ 
  - "at time *i* of the execution  $\sigma$ ,  $\phi$  is true."
  - where  $\sigma$  is an execution of A, which not required to start at the initial state
  - *A* is often omitted.
- $\sigma, i \not\models \phi$  :  $\phi$  is satisfied at time *i* of  $\sigma$
- $\sigma, i \not\models \phi$  :  $\phi$  is not satisfied at time *i* of  $\sigma$
- $A \not\models \phi$  iff  $\sigma$ ,  $0 \not\models \phi$  for every execution of  $\sigma$  of A
  - "the automaton A satisfies  $\phi$ "
  - $A \not\models \phi \neq A \not\models \neg \phi$
  - $\sigma,i \not\models \phi = \sigma,i \not\models \neg \phi$



KU KONKUK UNIVERSITY

$$\begin{array}{ll} \sigma,i\models P & \text{iff } P\in l(\sigma(i)),\\ \sigma,i\models\neg\phi & \text{iff it is not true that } \sigma,i\models\phi,\\ \sigma,i\models\phi\wedge\psi & \text{iff } \sigma,i\models\phi \text{ and } \sigma,i+1\models\phi,\\ \sigma,i\models F\phi & \text{iff there exists } j \text{ such that } i\leq j\leq |\sigma| \text{ and } \sigma,j\models\phi,\\ \sigma,i\models G\phi & \text{iff for all } j \text{ such that } i\leq j\leq |\sigma|, \text{ we have } \sigma,j\models\phi,\\ \sigma,i\models\phi\cup\psi & \text{iff there exists } j, i\leq j\leq |\sigma| \text{ such that } \sigma,j\models\psi, \text{ and}\\ \text{for all } k \text{ such that } i\leq k< j, \text{ we have } \sigma,k\models\phi,\\ \sigma,i\models A\phi & \text{iff for all } \sigma' \text{ such that } \sigma(0)\dots\sigma(i)=\sigma'(0)\dots\sigma'(i) \text{ and}\\ \sigma',i\models\phi.\\ \end{array}$$

#### Semantics of CTL\*

#### CTL\*

- Time is discrete.
- Nothing exists between i and i + 1.
- The instants are the points along the executions



# 2.4 PLTL and CTL: Two Temporal Logics

- Two most commonly used temporal logics in model checking tools
  - PLTL (Propositional Linear Temporal Logic)
  - CTL (Computational Tree Logic)
  - fragments of CTL\*

#### • PLTL

- No path quantifiers (A and E)
- Linear time logic  $\rightarrow$  Path formula
  - Ex. PLTL cannot distinguish  $A_1$  from  $A_2$



Execution 1 : {P, Q} . {P}. {-} Execution 2 : {P, Q} . {P} . {Q}



#### • CTL

- Temporal combinators (X, F, U) should be under the immediate scope of path quantifier (A, E)
- EX , AX , EU , AU , EF , EG , AG , AF , ...
- State formulas
  - Truth only depends on the current state and the automaton regions made reachable by it
  - Not depending on a current execution
  - $q \not\models \phi$  :  $\phi$  is satisfied in state q
  - CTL can distinguish automata  $A_1$  and  $A_2$



# $egin{aligned} &A_{1}\!, q_{o} & \end{aligned} & \operatorname{\mathsf{AX}}\left(\operatorname{\mathsf{EX}} Q \wedge \operatorname{\mathsf{EX}} \neg Q ight) \ &A_{2}\!, q'_{o} & \end{aligned} & \operatorname{\mathsf{AX}}\left(\operatorname{\mathsf{EX}} Q \wedge \operatorname{\mathsf{EX}} \neg Q ight) \end{aligned}$

- Potential reachability : AG EF P
- Do not allow to express very rich properties along the paths.





- Which to choose CTL or PLTL?
  - To state some properties : PLTL
  - To perform exhaustive verification of a system : CTL
  - For both purposes : CTL\*
    - Less popular
    - More complicated than PLTL
  - CTL + Fairness properties : FCTL
  - If we use model checking tools, we have no choice
    - SMV : CTL / PLTL
    - SPIN : PLTL
    - VIS : CTL / PLTL
  - No model checking tool for CTL\*







# 3. Model Checking



# 3. Model Checking

- Motivation:
  - Describe the principles underlying the algorithms used for model checking
  - The algorithm to find out whether a given automaton satisfies a given temporal formula
    - Different algorithms for CTL and PLTL

- Organization
  - Model Checking CTL
  - Model Checking PLTL
  - The State Explosion Problem





# **3.1 Model Checking CTL**

- Model checking algorithm for CTL
  - Developed in 1980s
  - Runs in time linear in each of its components (automaton and CTL formula)
  - Relies on the fact that CTL can only express state formulas
- Basic principles
  - procedure <u>marking</u>
    - Starting from a CTL formula  $\phi$
    - Mark for each state q of the automaton and for each sub-formula  $\psi$  of  $\phi$ ,
    - Whether  $\psi$  is satisfied in state q
- Complexity of the algorithm
  - Model checking " does  $A,q_o \nmid \Phi$  ? " for a CTL formula  $\Phi$
  - can be solved in time O(  $|A| \times |\Phi|$  )
    - O(|A|): for marking the automaton
    - $O(|\Phi|)$ : for each sub-formula in  $\Phi$
  - Linear!!!





```
procedure marking(phi)
  case 1: phi = P
    for all q in Q, if P in 1(q) then do q.phi := true,
                                    else do q.phi := false.
  case 2: phi = not psi
    do marking(psi);
   for all q in Q, do q.phi := not(q.psi).
  case 3: phi = psi1 /\ psi2
    do marking(psi1); marking(psi2);
   for all q in Q, do q.phi := and(q.psi1, q.psi2).
  case 4: phi = EX psi
   do marking(psi);
                                                                    case 6: phi = A psi1 U psi2
                                                                      do marking(psi1); marking(psi2);
                                           /* initialisation */
   for all q in Q, do q.phi := false;
                                                                                                    /* L: states to be processed */
                                                                     L := \{\}
   for all (q,q') in T, if q'.psi = true then do q.phi := true.
                                                                     for all q in Q,
                                                                        q.nb := degree(q); q.phi := false;
                                                                                                              /* initialisation */
 case 5: phi = E psi1 U psi2
                                                                     for all q in Q, if q.psi2 = true then do L := L + { q };
   do marking(psi1); marking(psi2);
                                                                      while L nonempty {
   for all q in Q,
                                                                                                                 /* must mark q */
                                                                        draw q from L;
      q.phi := false; q.seenbefore := false;/* initialisation */
                                                                       L := L - \{q\};
   L := \{\};
                                 /* L: states to be processed */
                                                                       q.phi := true;
   for all q in Q, if q.psi2 = true then do L := L + { q };
                                                                                                   /* q' is a predecessor of q */
                                                                       for all (q',q) in T {
   while L nonempty {
                                                                                                                   /* decrement */
                                                                     q'.nb := q'.nb - 1;
                                                /* must mark q */
      draw q from L;
                                                                     if (q'.nb = 0) and (q'.psi1 = true) and (q'.phi = false)
     L := L - \{q\};
                                                                           then do L := L + \{q'\};
     q.phi := true;
                                                                    }
     for all (q',q) in T { /* q' is a predecessor of q */
       if q'.seenbefore = false then do {
          q'.seenbefore := true;
          if q'.psi1 = true then do L := L + \{q'\};
       }
     }
   }
```





# **3.2 Model Checking PLTL**

- Model checking algorithm for PLTL
  - Developed in 1980s, but too technical to cover in this course
  - Not possible to rely on marking the automaton states, since PLTL uses path formulas.
    - A finite automaton will generally give rise to infinitely many different executions, themselves often infinite in length.
  - Hence, PLTL uses a <u>language theory</u> :  $\omega$ -regular expression
    - An extension of a regular expression
    - "\*" : an arbitrary but finite number of repetitions
      - (a b\* + c)\*
    - "ω": an infinite number of repetitions





- Basic principle
  - Model checking " does  $A \nmid \phi$  ? " for a PLTL formula  $\phi$
  - Reduces to a " Are all the execution of A described by  $\varepsilon_{\phi}$ ?"
  - A PLTL model checker construct an automaton  $B_{\neg\phi}$  (recognizing executions which do not satisfy  $\phi$ )
  - Strongly synchronize A and  $B_{\neg\phi} \rightarrow A \otimes B_{\neg\phi}$
  - Finally reduces to " is the language recognized by  $A \otimes B_{\neg\phi}$  empty ?"
- A simple example
  - $-\phi$ : G(P  $\Rightarrow$  XF Q) : Any occurrence of P must be followed (later) by an occurrence of Q
  - $B_{\neg\phi}$  : There exists an occurrence of *P* after which we will never again encounter Q











 $A \otimes B_{\neg \phi}$  :  $t_5 \otimes u_1$ ¬Ρ ٦Q ¬P  $t_1 \otimes u_2$ ¬Q  $t_5 \otimes u_0$  $t_1 \otimes u_0$ ¬P Ρ  $t_4 \otimes u_2$ ¬Q Q ¬P Ρ  $t_4 \otimes u_0$ Q  $t_2 \otimes u_2$ ¬Q  $t_3 \otimes u_2$ ¬P  $t_2 \otimes u_0$  $t_3 \otimes u_0$ **¬O** ¬P ٦Q

There are behaviors of A accepted by  $A \otimes B_{\neg \phi}$ 

→ The language recognized by  $A \otimes B_{\neg \phi}$  is nonempty. →  $A \not\models \phi$ 



- Construction of  $B_{\neg\phi}$ 
  - Very difficult technically
  - Automaton  $B_{\neg\phi}$  must in general be able to recognize infinite words
    - → Büchi automata
- Complexity of the algorithm
  - $B_{\neg\phi}$  has size O(2<sup>| $\phi$ |</sup>) in the worst case
  - $A \otimes B_{\neg \phi}$  has size  $O(|A| \times |B_{\neg \phi}|)$
  - If  $A \otimes B_{\neg \phi}$  fits in computer memory, we can determine it in time  $O(|A| \times |B_{\neg \phi}|)$
  - Model checking "does A,  $q_0 \nmid \phi$ ?" for a PLTL formula  $\phi$  can be done in time  $O(|A| \times 2^{|\phi|})$

#### Reachability analysis

- We can say that  $B_{\neg\phi}$  observes the behavior of A when the two automata are synchronized.
- Observable automata = formal specification of the desired property
  - UPPAAL
  - SPIN





# **3.3 The State Explosion Problem**

#### State explosion problem

- The main obstacle encountered by model checking algorithms
- The algorithms rely on explicit construction of the automaton A
  - Traversal and marking (in case of CTL)
  - Synchronization with  $B \neg \phi$  and seeking of reachable states and loops (in case of PLTL)
- In practice, the number of states of A is quickly very large.
  - If we use values that are not priori bounded (integers, a waiting queue, etc.), we cannot even apply it.
- Explicit model checking  $\rightarrow$  Symbolic model checking (Chapter 4)









### **Patterns of Temporal Properties**

- Writing the temporal logic formulas expressing desired system properties is important but difficult.
  - No silver bullet
  - No automatic generation
- 4 classification (categories/patterns) according to verification goals
  - Reachability property
    - Some particular situation can be reached.
  - Safety property
    - Under certain condition, something never occurs.
  - Liveness property
    - Under certain condition, something will ultimately occur.
  - Fairness property
    - Under certain condition, something will (or not) occur infinitely often.

#### Deadlock freeness



# 4. Properties

# **Reachability Properties**



# 6. Reachability Properties

- Reachability property
  - Some particular situation can be reached.
  - Examples:
    - (R1) "We can obtain n<0 "
    - (R2) " We can enter a critical section " ← simple
    - (R3) "We cannot have n<0 "
    - (R4) "We cannot reach the crash state " ← negation of the simple
    - (R5) "We can enter the critical section without traversing n=0 " ← with conditional restricts
    - (R6) "We can always return to the initial state " ← stronger / nested
    - (R7) "We can return to the initial state "





# 6.1 Reachability in Temporal Logic

• ΕF Φ

- "There exists a path from the current state along which some state satisfying  $\phi$  "
- (R1) "We can obtain n<0 "
  - EF (n<0)
- (R2) "We can enter a critical section "
  - EF crit\_sec
- (R3) "We cannot have n<0 "
  - ¬EF (n<0)
- (R4) "We cannot reach the crash state "
  - ¬EF crash
  - AG ¬crash
  - "Along every path, at any time, ¬crash"
- (R5) "We can enter the critical section without traversing n=0 "
  - E (n≠0) U crit\_sec
  - " There exists a path along which  $n \neq o$  holds until crit\_sec becomes true. "
- (R6) "We can always return to the initial state "
  - AG (EF init)
- (R7) "We can return to the initial state "
  - EF init





# 6.2 Model Checkers and Reachability

- Reachability properties are typically the easiest to verify.
  - All model checkers can answer it in principle by simply examining their reachability graph.
- But, they do vary in richness.
  - conditional reachability
  - nested reachability
  - etc.
- Design/CPN is specifically designed for reachability property verification.





# 6.3 Computation of the Reachability Graph

- The effective construction of set of reachable states are non-trivial.
  - Several automata are synchronized.
- Algorithms dealing with reachability problems
  - 1. Forward chaining
  - 2. Backward chaining
  - 3. "On-the-fly" exploration

- Forward chaining
  - A natural approach, from initial states  $\rightarrow$  add their successors  $\rightarrow$  until saturation
  - Difficulty:
    - Potential explosion of the set constructed





- Backward chaining
  - from target states → add immediate predecessors → until saturation, then, test whether some initial states are in there
  - Difficulties:
    - 1. Target states need to be fixed before.
    - 2. Computing immediate predecessors is generally more complicated than that of successors.
- "On-the-fly" exploration
  - Explore the reachability graph without actually building it
    - Construction is performed partially, as the exploration proceeds, without remembering everything already visited.
  - Background assumption
    - Present-day computers are more limited in memory resources than in processing speed
  - It is efficient mostly when
    - 1. Target set is indeed reachable. ("Yes" requires no exhaustive explorations)
    - 2. Can operate in forward or backward manners (The forward is the traditional)
    - 3. May apply to some systems with infinitely many states







# **Safety Properties**



# 7. Safety Properties

#### Safety property

- Under certain conditions, an (undesirable) event never occur.

#### – Examples:

- (S1) "Both processes will never be in their critical sections simultaneously (mutual exclusion)"
- (S2) " Memory overflow will never occur "
- (S3) " The situation ... is impossible "
- (S4) "As long as the key is not in the ignition position, the car won't start " ← with conditions
- ¬ safety property = reachability property
- ¬ reachability property = safety property





# 7.1 Safety Properties in Temporal Logic

- AG ¬Φ
  - " $\phi$  never occurs."
  - (S1) "Both processes will never be in their critical sections simultaneously "
    - AG ¬(crit\_sec1 ∧ crit\_sec2)
  - (S2) "Memory overflow will never occur"
    - AG ¬overflow
  - (S3) " The situation ... is impossible "
    - AG ¬situation
  - (S4) "As long as the key is not in the ignition position, the car won't start "
    - A (¬start W key) ← using weak until : it is a safety property
    - A (¬start U key) ← using strong until : Not a safety property!





# 7.2 A Formal Definition

- Syntactic characterization
  - Safety properties can be written in the form AG  $\phi^-$ 
    - $\phi^-$  is a past temporal formula
  - When a safety property is violated, it should be possible to instantly notice it.
    - We can only notice it, in the current state, relying on events which occurred earlier.
- Temporal logic with past
  - CTL\* does not provide past combinators.
  - But, we can use a mirror image of future combinators (F<sup>-1</sup>, X<sup>-1</sup>)
- AG  $\phi^-$  in practice
  - (S1) AG  $\neg$ (crit\_sec<sub>1</sub>  $\land$  crit\_sec<sub>2</sub>)
    - $\neg$ (crit\_sec<sub>1</sub>  $\land$  crit\_sec<sub>2</sub>) is a  $\phi$
  - (S4) A ¬start W key
    - Can be rewritten in the form: AG (start  $\Rightarrow$  F<sup>-1</sup> key)
    - " It is always true (AG) that if the car starts, then ( $\Rightarrow$ ) the key was inserted beforehand (F<sup>-1</sup>). "





# **7.3 Safety Properties in Practice**

- Safety properties are verified simply by submitting it to a model checker. But, in real life, hurdles spring up.
- A simple case: non-reachability
  - The most safety properties
  - $\neg \mathsf{EF} (\operatorname{crit\_in}_1 \land \operatorname{crit\_in}_2) = \mathsf{AG} \ \boldsymbol{\Phi}^-$ 
    - $\neg(crit\_in_1 \land crit\_in_2)$  is a present formula
- Safety without past
  - − A (¬start W key) vs. AG (start  $\Rightarrow$  F<sup>-1</sup> key)
  - No model checker is able to deal with past formulas. So, mixed logics are used.
  - The problem is their identification.
    - $\rightarrow$  If they are identified, then it can be dealt with similarly
    - $\rightarrow$  Otherwise, we have to use the method of <u>history variables (in section 7.4)</u>
- Safety with explicit past
  - No model checker is able to handle temporal formula with past.
  - Two approaches:
    - 1. Eliminate the past (in principle, it is possible to translate mixed formulas to pure-future ones)

- AG (φ ⇒ F<sup>-1</sup> ψ) ≡ A (¬φ W ψ), but not easy.



2. History variable method (section 7.4)





## **Liveness Properties**



#### 8. Liveness Properties

- Liveness property
  - Under certain conditions, some event will ultimately occur.
    - Some happy event will occur in the end.
  - Examples:
    - (L1) " Any request will ultimately be satisfied "
    - (L2) " By keeping on trying, one will eventually succeed "
    - (L3) " If we call on the elevator, it will bound to arrive eventually "
    - (L4) "The light will turn green (some day regardless of the system behavior)"
    - (L5) " After the rain, the sunshine "
    - (L6) " The program will terminate "
  - Two broad family of liveness properties
    - 1. Simple liveness : *progress* (Chapter 8)
    - 2. Repeated liveness : *fairness* (Chapter 10)





### 8.1 Simple Liveness in Temporal Logic

- FΦ
  - " $\phi$  will ultimately occur. "
  - (L1) "Any request will ultimately be satisfied "
    - AG (req  $\Rightarrow$  AF sat)
  - (L7) "The system can always return to its initial state "
    - AG EF init
  - PUQ
    - "Along the execution, we will find a state satisfying Q and P will hold for all the states encountered in the meantime "
    - Regarded as a liveness property
    - PUQ ≡ FQ ∧ (PWQ) (liveness) (safety)
    - A(PUQ) and E(PUQ) are all liveness properties.





### 8.2 Are Liveness Properties Useful?

- Abstract liveness properties
  - "If we call on the elevator, it is bound to arrive eventually "
    - It yields no information, from a utilitarian viewpoint.
    - "Abstract" liveness property
  - "An event will occur within at most x time unit"
    - It is useful, but became a safety property.
    - "Bounded" liveness property
  - But, it is still useful
    - "Abstract" is more general than "concrete".
    - "Abstract" is more efficient than "concrete".
    - "Abstract" and "concrete" are not contradictory.





### 8.3 Liveness in the Model and the Properties

- Two different roles in the verification process
  - 1. Liveness properties : we wish to verify
  - 2. Liveness hypotheses : we make on the system model
- When we use a mathematical model(automata) to represent a real system,
  - The semantics of the model in face define *implicit safety and liveness hypotheses*.
  - Safety hypothesis :
    - Clear
    - It can flip from q to q' only if it includes a transition going from q to q'.
  - Liveness hypothesis :
    - Not clear
    - The system will chain transitions as long as possible to a block state or accepting states.
    - "The system does not terminate without reason, or remain inactive indefinitely without reason."
    - Can be subtle and cause errors :



In state x, will always end up wishing printing. → Different from the real world's behavior !!!

• One must be aware of the premises of the models used and check their adequacy.





### **8.4 Verification under Liveness Hypotheses**

- Verify that specific model behaviors satisfy a given property :
  - $\phi_v$  : only the model which the liveness hypotheses hold
  - $\Psi$  : a property
  - Verify  $\Phi_v \Rightarrow \psi$  is sufficient.
  - If  $\psi$  is a CTL property
    - AF ( E PUQ )  $\rightarrow$  A ( $\Phi_v \Rightarrow$  FE ( $\Phi_v \land$  P U Q) )





#### **8.5 Bounded Liveness**

#### Bounded liveness property

- A liveness property that comes with a maximal delay which the desired situation must occur
- Safety properties from a theoretical viewpoint``
- Can be rewritten in a form AG ( $\psi_2 \Rightarrow F^{-1} \psi_1$ )
- Not as important as safety properties
- Bounded liveness in timed systems
  - Often used in the specification of timed systems (in Chapter 5)
  - Explicit constraints on delays  $\rightarrow$  TCTL !!!
  - (BL1) " The program terminates in less than ten seconds "
    - $AF_{<10s}$  end  $\leftarrow$  bounded liveness property
    - AG ( $\neg$ end  $\Rightarrow$  F<sup>-1</sup><sub><10s</sub> start )  $\leftarrow$  safety property
  - (BL2) " Any request is satisfied in less than five minutes "
    - AG ( req  $\Rightarrow$  AF<sub><5m</sub> sat )  $\leftarrow$  bounded liveness property
    - AG (  $\neg$  (F<sup>-1</sup><sub>=5m</sub>req  $\land$  G<sup>-1</sup><sub>≤5m</sub> $\neg$ sat ) ← safety property

DEPENDABLE SOFTWARE LABORATORY





### **Deadlock-Freeness**



#### 9. Deadlock-Freeness

#### Deadlock-freeness

- A special property, " The system can never be in a situation on which no progress is possible."
- Correct property relevant for systems that are supposed to run indefinitely
  - A set of properly identified final states will be required to be deadlock-free.





#### 9.1 Safety? Liveness?

#### AG EX true

- "Whatever the state reached may be (AG), there will exist an immediate successor state (EX true) "
- Not the form of  $AG\phi^1$
- Deadlock-free is not a safety property.
- Can be verified if the model checker can handle AG EX true.





#### 9.2 Deadlock-freeness for a Given Automaton

- We sometimes think of deadlock-freeness as a safety property
  - For a given automaton, we can describe the deadlock states explicitly.
  - But, it is up to the automaton we obtain.

if x > 0x := x + 1 A x = x + 1AG EX true  $\rightarrow$  hold! (liveness property) x:=0, y:=0 AG  $\neg$ (s3  $\land$  x≤0)  $\rightarrow$  hold! (safety property) s2 s3 s1 if x = yy = y + 1 if x > 0x := x + 1 Α' x = x + 1AG EX true  $\rightarrow$  not hold! (liveness property) x:=0, y:=0 AG  $\neg$ (s3  $\land$  x≤0)  $\rightarrow$  hold! (safety property) s2 s3 s1 if x = y

- For example,



#### 9.3 Beware of Abstractions!



DEPENDABLE SOFTWARE LABORATORY





## **Fairness Properties**



#### **10. Fairness Properties**

#### Fairness Property

- Under certain conditions, an event will occur (or will fail to occur) infinitely often

#### - Examples:

- (F1) "The gate will be raised infinitely often"
- (F2) " If access to a critical section is infinitely often requested, then access will be granted infinitely often "
- repeated liveness or repeated reachability





### **10.1 Fairness in Temporal Logic**

- GF P
  - "We meet a state in which P holds infinitely often."
    - There is no last state in which P holds.
  - Fairness properties cannot be expressed in pure CTL
    - (F1) " The gate will be raised infinitely often."
       → A ( GF gate\_raised )
    - (F2) " If access to a critical section is infinitely often requested, then access will be granted infinitely often."

 $\rightarrow$  A ( GF crit\_req  $\Rightarrow$  FG crit\_in )

- FCTL or ECTL+
  - CTL + fairness
  - O(  $|A| \times |\phi|^2$  )
  - <u>Many tools (like SMV) considers the fairness hypotheses as part of model rather than choosing FCTL.</u>





#### **10.2 Fairness and Nondeterminism**

- In practice, fairness properties are used to describe the form of some nondeterministic sequences.
  - "When a nondeterministic choice occurs at some point, it is often assumed to be fair."
  - For example,
    - A die with six faces
    - Its behavior is fair, if it fulfills the property:
      - A (GF 1 ^ GF 2 ^ GF 3 ^ GF 4 ^ GF 5 ^ GF 6)
  - Fairness properties can be viewed as an abstraction of probabilistic properties.





### **10.3 Fairness Properties and Fairness Hypotheses**

- Fairness properties are very often used as hypotheses.
- An example:
  - Classical alternating bit protocol
    - A : a transmitter
    - B : a receiver
    - AB : a line for messages
    - BA : a line for message acknowledgements
    - Messages can be lost  $\rightarrow$  non-deterministic behavior of AB and BA
  - Liveness property : "Any emitted message is eventually received."
    - G ( emitted  $\Rightarrow$  F received ) : Fail !!!
    - The model allows to systematically lose all messages.
    - Our original intension : "unreliable" line, not the whole lose  $\rightarrow$  Fairness hypothesis !!!
    - A ( GF  $\neg loss \Rightarrow$  G ( emitted  $\Rightarrow$  F received ) ) <u>fairness hypothesis</u> liveness property
  - Repeated liveness property : " If infinitely many messages are emitted, then infinitely many messages will be transmitted."

#### repeated liveness property

• A ( GF  $\neg loss \Rightarrow$  ( GF emitted  $\Rightarrow$  GF received ) ) <u>fairness hypothesis</u> ( repeated liveness hypothesis





### **10.4 Strong Fairness and Weak Fairness**

- Fairness property
  - "If P is continually requested, then P will be granted (infinitely often)."
  - Weak fairness : without interruption
  - Strong fairness : possibly with interruption
  - No difference when using them for model checking of finite systems

#### Weak fairness

- Assume that P is requested without interruption
  - (FG request\_P)  $\Rightarrow$  F P
  - (FG request\_P)  $\Rightarrow$  GF P

#### Strong fairness

- Assume that P is requested in an infinitely repeated manner, possibly with interruptions
  - (GF request\_P)  $\Rightarrow$  F P
  - (GF request\_P)  $\Rightarrow$  GF P





### 10.5 Fairness in the Model or in the Property?

- The best way is
  - Model = automaton + fairness hypothesis
    - Pros: Fairness hypothesis can change independently from the automata model.
  - Ex. SMV model checker







- Symbolic Model Checking
- Timed Automata

# **FORMAL VERIFICATION : ADVANCED**

# **5. Symbolic Model Checking**



### 4. Symbolic Model Checking

#### • Symbolic model checking

- Any model checking method attempting to <u>represent symbolically</u> states and transitions
- A particular symbolic method in which BDDs(Binary Decision Diagram) are used to represent the state variables
- Represent very large sets of states concisely, as if they were in bulk.
- Motivation:
  - State explosion is the main problem for CTL or PLTL model checking.
  - State explosion occurs whenever we represent explicitly all states of automaton we use.
- Organization
  - Symbolic Computation of State Sets
  - Binary Decision Diagrams (BDD)
  - Representing Automata by BDDs
  - BDD-based Model Checking





### 4.1 Symbolic Computation of State Sets

- Iterative computation of  $Sat(\phi)$ 
  - A = <Q, T, ... >
  - Pre(S) : immediate predecessors of the states belonging to S in Q
  - **Sat**( $\phi$ ) : set of states of A which satisfy  $\phi$ 
    - $\psi$  is the sub-formulas of  $\phi$
  - Sat( $\neg \psi$ ) = Q \ Sat( $\psi$ )
  - − Sat( $\psi \land \psi$ ) = Sat( $\psi$ ) ∩ Sat( $\psi$ )
  - Sat(EX  $\psi$ ) = Pre(Sat( $\psi$ ))
  - Sat(AX  $\psi$ ) = Q \ Pre(Q \ Sat( $\psi$ ))
  - Sat(EF  $\psi$ ) = Pre\*(Sat( $\psi$ ))
  - ... (others are defined in a similar way)

```
/* ==== Computation of Pre*(S) ==== */
X := S;
Y := { };
while (Y != X) {
    Y := X;
    X := X \vee Pre(X);
}
return X;
```

- The algorithms in Section 3.1 is an particular implementation of  $Sat(\phi)$
- Hence,  $Sat(\phi)$  is an explicit representation of the state sets.





- Which symbolic representations to use ?
  - We have to access the following primitives:
    - 1. A symbolic representation of Sat(P) for each proposition  $P \subseteq Prop$ .
    - 2. An algorithm to compute a symbolic representation of Pre(S) from a symbolic representation of *S*.
    - 3. Algorithms to compute the complement, the union, and the intersection of the symbolic representations of the sets.
    - 4. An algorithm to tell whether two symbolic representations represent the same set.
- Systems with infinitely many states
  - Symbolic approach naturally extends to infinite systems.
  - New difficulties:
    - 1. Much trickier to come up with symbolic representations.
    - 2. Iterative computation  $Sat(\phi)$  is no longer guaranteed to terminate.





### 4.2 Binary Decision Diagram (BDD)

#### • BDD

- A particular data structure very commonly used for representing states sets symbolically
- Proposed in 1980s ~ early in 1990s
- Make possible the verification of the system which cannot represent explicitly.
- Advantages:
  - Efficiency
  - Simplicity
  - Easy Adaptation
  - Generality





- BDD structure example
  - *n* boolean variables  $x_1, x_2, \dots, x_n$  associated with a tuple  $\langle b_1, b_2, \dots, b_n \rangle$ 
    - Suppose n = 4,
    - The set S of our interest is the set such that  $(b_1 \vee b_3) \wedge (b_2 \Rightarrow b_4)$  is true.
  - We have several ways to represent the set:
    - S = {<F,F,T,F>, <F,F,T,T> , ... >
    - S =  $(b_1 \vee b_2) \wedge (b_3 \Rightarrow b_4)$
    - $S = (b_1 \land \neg b_2) \lor (b_1 \land b_4) \lor (b_3 \land \neg b_2) \lor (b_3 \land b_4) \leftarrow DNF$
    - .
    - **<u>Decision Tree</u>** ← Our choice.







- Decision tree reduction
  - A <u>BDD</u> is a reduced decision tree.
  - Reduction rules:
    - 1. Identical sub-trees are identified and shared. ( $n_8$  and  $n_{10}$ )
      - $\rightarrow$  leads to a directed acyclic graph (dag)
    - 2. Superfluous internal nodes are deleted.  $(n_7)$
  - Advantages:

LABORATORY

- 1. Space saving
- 2. Canonicity





- Canonicity of BDDs
  - BDDs canonically represent sets of boolean tuples. (fundamental property of BDDs)
  - If the order of the variable  $x_i$  is fixed, then there exists a unique BDD for each set *S*.
  - Properties of BDDs
    - 1. We can test the equivalence of two BDDs in constant time.
    - 2. We can tell whether a BDD represents the empty set simply by verifying whether it is reduced to a unique leaf F.
- Operations on BDDs
  - All boolean operations
    - 1. Emptiness test
    - 2. Comparison
    - 3. Complementation
    - 4. Intersection
    - 5. Union and other binary boolean operations
    - 6. Projection and abstractions
  - Complexity : linear or quadratic (for each operation)
    - $\rightarrow$  The same state explosion problems still exist.





#### 4.3 Representing Automata by BDDs

- Before applying BDDs to symbolic model checking, we need to restate
  - Representing the <u>states</u> by BDDs
  - Representing <u>transitions</u> by BDDs
- Representing the states by BDDs
  - Consider an automaton A with
    - $Q = \{q_0, \dots, q_6\} \rightarrow b_1^1, b_1^2, b_1^3$
    - var digit:0..9  $\rightarrow b_{2}^{1}, b_{2}^{2}, b_{2}^{3}, b_{2}^{4}$
    - var ready:bool  $\rightarrow b_3^1$
    - $< b_1^1, b_1^2, b_1^3, b_2^1, b_2^2, b_2^3, b_2^4, b_3^1 >$
    - < F, T, T, T, F, F, F, F > = < $q_3$ , 8, F >
  - Let's represent  $Sat(ready \Rightarrow (digit > 2))$ 
    - States  $\langle q, k, b \rangle$  such that if b = T and k > 2
    - ready  $\Rightarrow$  (digit > 2)  $\equiv \neg$  ready  $\lor$  (digit > 2)





- Representing transitions by BDDs
  - The same idea is applied.
  - $\langle q_3, 8, F \rangle \rightarrow \langle q_5, 0, F \rangle : \langle F, T, T, T, F, F, F, F, F, T, F, F, F, F, F, F, F \rangle$
  - For example,



$$\begin{array}{l} \boldsymbol{\rightarrow} ( \neg b_{1}^{1} \wedge \neg b_{1}^{2} \wedge b_{3}^{1} ) \\ \wedge ( b_{2}^{1} \vee b_{2}^{2} \vee b_{3}^{2} \vee b_{4}^{2} ) \\ \wedge ( \neg b_{1}^{1} \wedge b_{2}^{1} \wedge \neg b_{3}^{1} ) \\ \wedge ( b_{2}^{1} \Leftrightarrow b_{2}^{1} \wedge b_{2}^{2} \Leftrightarrow b_{2}^{2} \wedge b_{3}^{2} \Leftrightarrow b_{3}^{3} \wedge b_{4}^{2} \Leftrightarrow b_{4}^{4} ) \\ \wedge b_{1}^{1} & \end{array}$$





### 4.4 BDD-based Model Checking

- BDDs can serve as an instance of symbolic model checking scheme.
  - Provide compact representations for the sets of states in an automaton
  - Support the basic sets of operations
  - Computation of Pre(S) in section 4.1 is very simple.
- Implementation
  - SMV (chapter 12)
  - Efficiency of BDDs depends on
    - $B_T$  representing the transition relation T (as containing pairs of states)
    - Choice of ordering for the boolean variables
  - Very easy to explode exponentially.
- Perspective
  - Widely used from early 1990s
  - Current work on model checking
    - Aiming at applying BDD technology to solve more verification problems (ex. program equivalence)
    - Aiming at extending the limits inherent to BDD-based model checking
  - Widely used throughout the VLSI design industry.







# 6. Timed Automata



# 5. Timed Automata

### • "Temporal"

"Trigger the alarm action upon detecting a problem"

### • "Real-Time"

"Trigger the alarm less than 5 seconds after detecting a problem"

### <u>Timed Automata</u>

- Proposed by Alur and Dill in 1994.
- An answer to this "real-time" needs

### Organization

- Description of a Timed Automata
- Networks of Timed Automata and Synchronization
- Variants and Extensions of the Basic Model
- Timed Temporal Logic
- Timed Model Checking





# **5.1 Description of Timed Automata**

- Two fundamental elements of timed automata
  - 1. A finite automaton (assumed instantaneous between states)
  - 2. Clocks

• An example







- Clocks and transitions
  - Clocks
    - Variables having non-negative real values in *R*
    - All clocks are null in the initial system states.
    - All clocks evolve at the same speed, synchronously with time.

### – Transitions

- Three items
- A guard
- An action (label)
- Reset of some clocks
- The system operates as if equipped with
  - <u>A global clock</u>
  - Many individual clocks (each is synchronized with the global clock)







- Configurations and executions
  - Configuration of the system
    - (q, v)
      - q : a current control state of the automaton
      - v: the value of each clock
    - We also refer to *v* as a valuation of the automaton clocks.
    - Timed automata does not fix the time unit under consideration
  - **Execution** of the system
    - (usually infinite) sequence of configurations
    - A mapping  $\rho$  from *R* to the set of configuration
    - Configurations change in two ways
      - Delay transition
      - Discrete transition (or action transition)



#### **Discrete transition**

 $(\text{init, } 0) \rightarrow (\text{init, } 10.2)^{\stackrel{?msg}{\rightarrow}} (\text{verify, } 0) \rightarrow (\text{verify, } 5.8)^{\stackrel{?msg}{\rightarrow}} (\text{verify, } 0) \rightarrow (\text{verify, } 3.1)^{\stackrel{?msg}{\rightarrow}} (\text{alarm, } 3.1) \rightarrow \dots$ 

- Trajectory
  - $-\rho(0)$ : the initial state
  - $-\rho(12.3) = (verify, 2.1)$





# **5.2 Networks of Timed Automata and Synchronization**

- It is useful to build a timed model in a composite fashion, by combining several parallel automata synchronized with one another.
   → a timed automata network
- Executions of a timed automata network
  - All automata components run in parallel at the same speed
  - Their clocks are all synchronized to the same global clock
  - (q, v): a network configuration
    - *q* : a control state vector
    - v: a function associating each network clock with its value at the current time

### Synchronization

- Timed automata synchronize on transitions (as usually) by resetting the clocks.
- The clocks which were not reset are unchanged.
- No concurrent write conflicts on clocks, since reset writes a zero value and nothing else.





### • Example : modeling a railroad crossing



# **5.3 Variants and Extensions of the Basic Models**

- Many variants, and three extensions
- Invariants
  - Liveness hypothesis in the untimed model
  - Invariant: a state's condition on the clock values, which must always hold in the state
  - Example: near (invariant: Ht < 5), on (invariant: Ht < 2), lower/raise (invariant: Hb < 2)</li>
- Urgency
  - Used when cannot tolerate a time delay
  - Represented in the system configurations, not in the transitions
  - Allowing urgent/synchronized behaviors in a more natural way
- Hybrid linear system
  - Models dynamic variables (in a form of differential equations)
  - HyTech





# **5.4 Timed Temporal Logic**

- Given a system described as a network of timed automata, we wish to be able to state/verify properties of this system
  - Temporal properties
    - "When the train is inside the crossing, the gate is always closed."
  - Real-time properties
    - "The train always triggers an Exit signal within 7 minutes of having emitted an App signal."
- Three ways to formally state real-time properties
  - 1. Express it in terms of the reachability of some sets of configurations
  - 2. Use observer automata in PLTL model checking
    - Given a property  $\phi$ , a network R
    - Testing reachability of some states in the product R || A $\phi$
    - UPPAAL , HYTECH
  - 3. Use a timed logic
    - TCTL (Timed CTL), etc.





### • TCTL (Timed CTL)

- $\begin{array}{ll} \bullet & \Phi \ , \ \psi \colon := P_1 \mid P_2 \mid ... & (atomic proposition) \\ & \mid \neg \phi \mid \phi \land \psi \mid \phi \Rightarrow \psi \mid ... & (boolean combinators) \\ & \mid \mathsf{EF}_{(\sim k)} \phi \mid \mathsf{EG}_{(\sim k)} \phi \mid \mathsf{E} \phi \cup_{(\sim k)} \psi & (temporal combinators) \\ & \mid \mathsf{AF}_{(\sim k)} \phi \mid \mathsf{AG}_{(\sim k)} \phi \mid \mathsf{A} \phi \cup_{(\sim k)} \psi & (path quantifiers) \end{array}$
- ~ : any comparison symbol from  $\{<, \leq, =, \geq, >\}$
- k : any rational number from Q. (real number)
- Operator X does not exist in TCTL
- Example :
  - AG (pb  $\Rightarrow$  AG<sub>( $\leq 5$ )</sub> alarm)
    - "If a problem occurs, then the alarm will sound immediately and it will sound for at least 5 time units."
  - AG  $(\neg far \Rightarrow AF_{(<7)} far)$ 
    - "When the train is located in the railway section between the two sensors App and Exit, it will leave this section before 7 time units."





## **5.5 Timed Model Checking**

- With timed automata and TCTL logic
- We wish to obtain a model checking algorithm for them.
- Difficulties : Automaton has an infinite number of configurations, since
  - Clock values are unbounded
  - The set of real numbers used in clocks is dense
  - Overcome it with the equivalence classes, called "regions"
  - Example: x1, x2 ~ k with k = 0, 1, 2
    - 28 regions







### • Complexity

- Model checking algorithms are complicated.
- The number of regions grows exponentially.
- O(n!M<sup>n</sup>)
  - n: number of clocks
  - M: upper bounds of every constant
- No general and efficient method is likely to exist. (vs. linear complexity in CTL)
- PSPACE-complete problem
- Existing tools focus on defining adequate data structures for handing sets of regions
   *→* "*zones*"
- Existing tools have been successfully used
  - UPPAAL
  - HyTech
  - (KRONOS)
  - SpaceEx (PHAver) ← for Hybrid System (CPS)







# FORMAL VERIFICATION TOOLS AND CASE STUDIES

# 7. Formal Verification Tools



## Introduction

- Formal modeling methods and tools (graphical methods only)
  - SCR
  - NuSCR (NuSRS)
  - Statecharts Statemate MAGNUM)
  - RSML / SpecTRM
  - Petri-Nets (Design/CPN)
  - Timed Automata (UPPAAL)
- Formal verification (model checking) tools
  - SMV
  - SPIN
  - VIS
  - CBMC
  - DESIGN/CPN
  - UPPAAL
  - HyTech





# SCR

### Software Cost Reduction (SCR) <sup>1)</sup>

<sup>1)</sup> http://www.nrl.navy.mil/itd/chacs/5546/SCR







#### **Main Window**

- Condition table
- Event table
- Mode Transition table



#### Editor

The specification consists of two basic types of tables. The first is dictionaries, which describe the types used in the specification, variables, and other objects used to describe the specification with the second table type.

The second type of table describes functions; that is, given certain events or conditions, and the current state of the application, what is the output value of a given variable?

The tables include editing functions for building and changing the developing specification.

| TYPE+                         |     |       |   |            |               |          |       |         | ☑ Mon<br>☑ Term<br>☑ Con | 🗹 Match Case | Name<br>Contains |
|-------------------------------|-----|-------|---|------------|---------------|----------|-------|---------|--------------------------|--------------|------------------|
| Name                          | DGB | Class |   | Туре       | Initial Value | Accuracy | Table | Kind    | Value                    |              | Comment          |
| Block                         | DGB | Mon   | • | Switch 👻   | OFF 🔻         | N/A      | -     | -       |                          |              |                  |
| MajorityLow                   | DGB | Term  | • | Boolean 👻  | TRUE 🔻        | 0        | Т     | Table 🔻 |                          |              |                  |
| MajorityPermit                | DGB | Term  | • | Boolean 👻  | TRUE 🔻        | 0        | Т     | Table 🔻 |                          |              |                  |
| OVERRIDDEN                    | DGB | Term  | • | Boolean 💌  | TRUE 🔻        | 0        | Т     | Table 🔻 |                          |              |                  |
| OVERRIDDEN_model<br>ess_event | DGB | Con   | • | Boolean 🔻  | TRUE -        | 0        | т     | Table 🔻 |                          |              |                  |
| PB                            | DGB | Mon   | • | Pressure 💌 | 14            | 0.05%    | -     | -       |                          |              |                  |
| PG                            | DGB | Mon   | • | Pressure 🔻 | 14            | 0.05%    | -     | -       |                          |              |                  |
| PR                            | DGB | Mon   | • | Pressure 🔻 | 14            | 0.05%    | -     | -       |                          |              |                  |
| Reset                         | DGB | Mon   | • | Switch 🔻   | OFF 🔻         | N/A      | -     | -       |                          |              |                  |
| Safety_Injection              | DGB | Con   | - | Switch 🔻   | OFF 👻         | N/A      | Т     | Table 🔫 | 1                        |              |                  |
| Notes                         |     |       |   |            |               |          |       |         |                          |              |                  |



#### **Consistency Checker**

This checks for correctness and consistency in the tables that describe the specification. Kinds of checks done are syntax and type checking, circular definitions, missing cases, undefined variables, and non-determinism. Any errors found are displayed in the main window under the affected object, making it easy for the user to locate and correct the error.

| SCR                         | Safety_Injection Cond                  | ition Function        | - O X    |
|-----------------------------|----------------------------------------|-----------------------|----------|
| File                        |                                        |                       |          |
| TYPE+ DISJ COVG             |                                        | ×.                    |          |
| E C                         | Safety_Injection Co<br>Defines a Contr | olled Variable        |          |
| Name Safety_Injection       |                                        | Mode Class M_Pressure |          |
| Modes                       | Conditions                             |                       | Comments |
| Normal                      | FALSE                                  | TRUE                  |          |
| Low                         | NOT OVERRIDDEN                         | OVERRIDDEN            |          |
| VoterFailure                | TRUE                                   | FALSE                 |          |
| Safety_Injection =          | ON                                     | OFF                   |          |
|                             |                                        |                       |          |
|                             |                                        |                       |          |
|                             |                                        |                       |          |
| ☐ ☐ ∰f() 🔀 Safety_Injection |                                        |                       |          |
|                             |                                        |                       |          |
|                             |                                        |                       |          |
|                             |                                        |                       |          |





#### **Dependency Browser**

DEPENDABLE SOFTWARE LABORATORY

An existing specification is analyzed to find which objects in the specification depend on which other objects (eg, variables), and a graph of the dependency relationship is created and displayed by this component.

This allows the user to create scenarios, and play them out to check that the specification behaves as expected. The simulator can be run from within the SCR toolset, or it can run separately when code is generated from the specification (one of the functions of the toolset). Simulator





#### Simulator

The simulator display takes two basic forms. One is an automatically generated tabular display, [associate with the simulator.gif] and the other is graphical, tailored to specific applications. This version requires user extensions, based on a framework built into the toolset.





# NuSCR

### NuSCR

A Formal requirements specification language customized for nuclear I&C systems

- Customizing SCR for nuclear domain
- Consisting of 4 constructs
  - + SDT (Structured Decision Table)
  - + FSM (Finite State Machine)
  - + TTS (Timed Transition System)
  - + FOD (Function Overview Diagram)
- Various Supporting for seamless verification and safety analysis
- A starting point of the NuDE framework



**Regular Paper** Journal of Computing Science and Engineering, Vol. 11, No. 1, March 2017, pp. 9-23

#### NuDE 2.0: A Formal Method-based Software Development, Verification and Safety Analysis Environment for Digital I&Cs in NPPs

Eui-Sub Kim, Dong-Ah Lee, Sejin Jung, and Junbeom Yoo<sup>\*</sup> Division of Computer Science and Engineering, Konkuk University, Seoul, Korea atang34@konkuk.ac.kr, Idalove@konkuk.ac.kr, jsjj0728@konkuk.ac.kr, jbyoo@konkuk.ac.kr









#### DEPENDABLE SOFTWARE LABORATORY

#### NuSRS – NuSCR Modeling Environment

132



DEPENDABLE SOFTWARE LABORATORY KU KONKUK UNIVERSITY



## **Statecharts**

### IBM Rational Statemate MAGNUM

A graphical working environment developed by David Harel

- Create a visual, graphical specification that clearly and precisely represents the intended functions and behavior of the system

- The Statecharts specification may be executed, or graphically simulated
- The 3 views of the system mode
  - + Module-charts
  - + Activity-charts
  - + Statecharts
- Generates C, Ada, VHDL and Verilog code
- Formal verification through in-house model checker







Ativity-chart



KU KONKUK UNIVERSITY







## **Design/CPN**

### Design/CPN (CPN Tools 4.0)

1) http://cpntools.org/

A tool for editing, simulating, and analyzing Colored Petri nets<sup>1)</sup>

- CPN Editor : construction, modification and syntax check of CPN models (CPN Editor)
- CPN Simulator : interactive and automatic simulation of CPN models (CPN Simulator) + simulation-based performance analysis of CPN models
- Occurrence Graph Tool : construction and analysis of occurrence graphs for CPN models → state spaces or reachability graphs/trees



PENDABLE SOFTWARE

LABORATORY











| y MSC                  | Binder 7                                                                                                                                                            |
|------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                        | ew Page                                                                                                                                                             |
| Sender Receiver        | val msc = MSC.createMSC ("My MSC")                                                                                                                                  |
| product                | MSC.addProcess(msc, "Sender");<br>MSC.addProcess(msc, "Receiver")                                                                                                   |
| e consume              | MSC.addInternalEvent(msc, "Sender", "produce");<br>MSC.addEvent(msc, "Sender", "Receiver", "product");<br>MSC.addEvent(msc, "Receiver", "Receiver", "consume")      |
| Packet 1               |                                                                                                                                                                     |
| product 1              | MSC addl ine(msc "Packet 1")<br>val e1 = "evento" : string<br>val e2 = "event1" : string<br>val e3 = "event2" : string                                              |
| product 2<br>product 3 | val e1 = MSC.startEvent(msc, "Sender", "product 1");<br>val e2 = MSC.startEvent(msc, "Sender", "product 2");<br>val e3 = MSC.startEvent(msc, "Sender", "product 3") |
|                        |                                                                                                                                                                     |





## **Timed Automata**

Timed Automata (UPPAAL)

1) http://www.uppaal.org/

An integrated tool environment for modeling, validation and verification of real-time systems modeled as networks of timed automata, extended with data types (bounded integers, arrays, etc.) <sup>1)</sup>

- Use timed automata to analyze timed systems
- Graphical editor
- Graphical simulator
- Verifier
- Model checking
  - + CTL reachability analysis based on AG / EF









#### Timed automata models in UPPAAL





| D:/ITRC/건국대 ITRC/uppaal/new/013.xml - UPPAAL                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                           |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|
| e Edit View Tools Options Help                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                           |
| 💽 🚭 🖳 🔍 🔍 🚫 🚱 🤝 🍉<br>ditor Simulator Verifier                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                           |
| Overview                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |                           |
| A[] !(Ctr.Wait4 && Ctr.clk > t20ms && Reader2.Write4)         A[] !(Ctr.Wait3 && Ctr.clk > t20ms && Reader2.Write3)         A[] !((Ctr.Wait2_0    Ctr.Wait2_1) && Ctr.clk > t20ms && (Reader0.Write1            A[] !((Ctr.Wait1 && Ctr.clk > t20ms && (Reader0.Write1                                                                                                                                                                                                                                                                                                                                             | Check<br>Insert<br>Remove |
| A[] !(Ctr.WaitO && Ctr.clk > t2Oms && Reader3.Write)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Comments                  |
| Query                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                           |
| Comment<br>Controller doesn't wait to access SharedVar4 over 20 ms while Reader2 accesses SharedVar4                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                           |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                           |
| ▼<br>Status                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                           |
| A[] !(Ctr, Wait4 && Ctr, clk > t20ms && Reader2, Write4)<br>Property is not satisfied,<br>A[] !(Ctr, Wait3 && Ctr, clk > t20ms && Reader2, Write3)                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | *                         |
| A[] !(Ctr, Wait4 && Ctr, clk > t20ms && Reader2, Write4)<br>Property is not satisfied,<br>A[] !(Ctr, Wait3 && Ctr, clk > t20ms && Reader2, Write3)<br>Property is not satisfied,<br>A[] !((Ctr, Wait2_0    Ctr, Wait2_1) && Ctr, clk > t20ms && (Reader0, Write1    Reader1, Write1    R<br>Property is not satisfied,<br>A[] !(Ctr, Wait1 && Ctr, clk > t20ms && (Reader0, Write1    Reader1, Write1    R                                                                                                                                                                                                         | leader2, Write2           |
| A[] !(Ctr, Wait4 && Ctr, clk > t20ms && Reader2, Write4)<br>Property is not satisfied,<br>A[] !(Ctr, Wait3 && Ctr, clk > t20ms && Reader2, Write3)<br>Property is not satisfied,<br>A[] !((Ctr, Wait2_0    Ctr, Wait2_1) && Ctr, clk > t20ms && (Reader0, Write1    Reader1, Write1    R<br>Property is not satisfied,<br>A[] !(Ctr, Wait1 && Ctr, clk > t20ms && (Reader0, Write1    Reader1, Write1    R<br>Property is not satisfied,<br>A[] !(Ctr, Wait1 && Ctr, clk > t20ms && (Reader0, Write1    Reader1, Write1))<br>Property is not satisfied,                                                            |                           |
| A[] !(Ctr, Wait4 && Ctr, clk > t20ms && Reader2, Write4)<br>Property is not satisfied,<br>A[] !(Ctr, Wait3 && Ctr, clk > t20ms && Reader2, Write3)<br>Property is not satisfied,<br>A[] !((Ctr, Wait2_0    Ctr, Wait2_1) && Ctr, clk > t20ms && (Reader0, Write1    Reader1, Write1    R<br>Property is not satisfied,<br>A[] !(Ctr, Wait1 && Ctr, clk > t20ms && (Reader0, Write1    Reader1, Write1    R<br>Property is not satisfied,<br>A[] !(Ctr, Wait1 && Ctr, clk > t20ms && (Reader0, Write1    Reader1, Write1))<br>Property is not satisfied,<br>A[] !(Ctr, Wait0 && Ctr, clk > t20ms && Reader3, Write) | leader2, Write2           |
| A[] !(Ctr, Wait4 && Ctr, clk > t20ms && Reader2, Write4)<br>Property is not satisfied,<br>A[] !(Ctr, Wait3 && Ctr, clk > t20ms && Reader2, Write3)<br>Property is not satisfied,<br>A[] !((Ctr, Wait2_0    Ctr, Wait2_1) && Ctr, clk > t20ms && (Reader0, Write1    Reader1, Write1    R<br>Property is not satisfied,<br>A[] !(Ctr, Wait1 && Ctr, clk > t20ms && (Reader0, Write1    Reader1, Write1    R<br>Property is not satisfied,<br>A[] !(Ctr, Wait1 && Ctr, clk > t20ms && (Reader0, Write1    Reader1, Write1))<br>Property is not satisfied,                                                            |                           |



🕄 D:/ITRC/건국대 ITRC/uppaal/new/013.xml - UPPAAL

File Edit View Tools Options Help



NUADLE OUT I WARE

T T KONKUK

- 0 23



## SMV

### SMV

1) http://www.cs.cmu.edu/~modelcheck/smv.html

A symbolic model checker of CLT formulae on networks of automata with shared variables<sup>1)</sup>

- The first model checker using the BDD technology
- Suited for fully checking a complex system
- Input : SMV input program language or Verilog program
- CTL model checking
- No support for (systematic) simulating

| Carnegie M | ellon    | Model Ch   |                | ٠         |         |            |
|------------|----------|------------|----------------|-----------|---------|------------|
| [Home]     | [People] | [Software] | [Publications] | [Support] | [Links] | [Internal] |
| The SMV    | System   |            |                |           |         |            |



| default, sm<br>Eile <u>P</u> rop        |                                                                              | Goto                                               | History                                           | Abstract | tion |        |                | elp |
|-----------------------------------------|------------------------------------------------------------------------------|----------------------------------------------------|---------------------------------------------------|----------|------|--------|----------------|-----|
| Browser                                 | ·                                                                            |                                                    |                                                   |          |      | Groups | 1              |     |
|                                         | Nam                                                                          | e                                                  |                                                   | Layer    |      |        |                | H   |
| ₽-f_VA                                  | e<br>d_Err<br>R_OVER_<br>R_OVER_                                             | PWR_N                                              |                                                   |          |      |        |                |     |
| Source                                  | Trace                                                                        | Log                                                |                                                   |          |      |        |                | _   |
| File Sho                                | w                                                                            |                                                    |                                                   |          |      |        |                |     |
| SMV In                                  |                                                                              | α VAF                                              | OVER PI                                           | IR       |      |        |                |     |
|                                         |                                                                              | -                                                  |                                                   |          |      |        |                | Ξ   |
| SMV In                                  | put for                                                                      | T_VAP                                              | OVER_PU                                           | IR_Val_O | ut   |        |                |     |
| nu_Test,<br>VAR                         | f_var_ov<br>ver_pwr_                                                         | ER_PI                                              |                                                   | ry, cyc  |      |        | VAR_OVER_PWR_M | 2   |
| STATE : (                               | _init_,                                                                      | s0, s                                              | :1);                                              |          |      |        |                |     |
| ASSIGN                                  |                                                                              |                                                    |                                                   |          |      |        |                |     |
| FROM-30<br>FROM-31<br>FROM-1<br>FROM-30 | E) := ca<br>nitTO-<br>-TO-sO-t<br>-TO-sO-t<br>nitTO-<br>-TO-s1-t<br>-TO-s1-t | ase<br>-s0-ts<br>:aken<br>:aken<br>-s1-ts<br>:aken | uken : s0<br>: s0;<br>: s0;<br>uken : s1<br>: s1; |          |      |        |                |     |
| Output<br>init(f VA                     |                                                                              | WR Ve                                              | 1 Out) :                                          | = 0;     |      |        |                |     |

### The SMV input program (Cadence SMV)

| le <u>F</u>                   | erop Vie             | w <u>G</u> oto                                | History               | Abstractio              | n                                               |        |         |      |   | He                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
|-------------------------------|----------------------|-----------------------------------------------|-----------------------|-------------------------|-------------------------------------------------|--------|---------|------|---|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Brows                         | ser Pr <u>o</u>      | operties                                      | Results               | <u>C</u> one L          | Jsi <u>ng</u> <u>G</u> r                        | oups   |         |      |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| VI res                        | ults                 |                                               | Ł                     |                         |                                                 |        |         |      |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|                               | Pro                  | perty                                         | Re                    | sult                    |                                                 | Time   |         |      |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| EF ((s                        | state=conr           | ate1)&(alarm<br>rect1)&(alarm<br>(~(state=cre | =1))) true            | Sat D                   | lec 10 20:30:<br>lec 10 20:30:<br>lec 10 20:30: | 25 可提誘 | 철댕·통良)맥 | 2011 |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|                               |                      | e Log<br>In Vie <u>w</u>                      |                       |                         |                                                 |        |         |      |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|                               | 1: 1                 | 2                                             | 3                     | 4                       | 5:                                              | 1      | Ì       |      |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| .oc.x                         | D                    | 0                                             | 0                     | G                       | D                                               |        |         |      |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|                               |                      | 1                                             | 1                     | 0                       |                                                 | 8      | 10      | 10   |   | 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| Loc y                         | 0                    | 0                                             | 0                     | U                       | 0                                               |        |         |      | 1 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| 1.00                          |                      | 0                                             | 0<br>-                | -                       | -                                               |        |         |      |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| ack2                          | -                    |                                               |                       | 12.7                    |                                                 |        |         |      |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| 1.0                           | -<br>0               | -                                             | -                     | -                       | -                                               |        |         |      |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| ack2<br>alarm<br>obs          | -<br>0               | - 0                                           | -                     | -<br>0<br>0             | -<br>D                                          |        |         |      |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| ack2<br>alarm<br>obs          | -<br>0<br>0<br>ready | -<br>0<br>64                                  | -<br>0<br>0           | -<br>0<br>0             | -<br>0<br>0                                     |        |         |      |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| ack2<br>alarm<br>obs<br>state | -<br>0<br>0<br>ready | -<br>0<br>64<br>notice                        | -<br>0<br>0<br>create | -<br>0<br>0<br>operate2 | -<br>D<br>D<br>connect2                         |        |         |      |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| ack2<br>alarm<br>obs<br>state | -<br>0<br>0<br>ready | -<br>0<br>64<br>notice                        | -<br>0<br>0<br>create | -<br>0<br>0<br>operate2 | -<br>D<br>D<br>connect2                         |        |         |      |   | Image: Section of the sectio |
| ack2<br>alarm<br>obs<br>state | -<br>0<br>0<br>ready | -<br>0<br>64<br>notice                        | -<br>0<br>0<br>create | -<br>0<br>0<br>operate2 | -<br>D<br>D<br>connect2                         |        |         |      |   | Image:  |

### The result (counterexample) of the CTL model checking



KU KONKUK



# SPIN

### SPIN

1) http://spinroot.com/spin/whatispin.html

A tool for analyzing the logical consistency of concurrent systems, specifically of data communication protocols  $^{1)}\,$ 

- Developed at Bell Labs in the Unix group of the Computing Sciences Research Center, starting in

1980.

- The system is described in a modeling language called **Promela** (Process Meta Language) + Allowing for the dynamic creation of concurrent processes
- **Communication via message channels** can be defined to be synchronous (i.e., rendezvous), or asynchronous (i.e., buffered).
- Simulator
- Verification: LTLT model checking or assertion

Verifying Multi-threaded Software with Spin







The PROMELA program







The verification/simulation results with sequence diagram





#### VIS

1) http://vlsi.colorado.edu/~vis/

A system for formal verification, synthesis, and simulation of finite state systems <sup>1)</sup>

- Simulation of logic circuits (proof of concept only)
- Formal "implementation" verification of combinational and sequential circuits (proof of concept only)
- State-of-the-art formal "design" verification using fair CTL model checking and language emptiness
- Logic synthesis via hierarchy restructuring and a path to and from SIS
- Input : Verilog HDL through vl2mv (into BLIF-MV format)
- No GUI





vis release 2.0 (compiled Thu Jun 26 11:08:16 2008) vis> read blif mv h X Pretrip Manual.mv vis> flatten hierarchy vis> static order vis> build partition mdds vis> simulate -i inputVector1.txt # vis release 2.0 (compiled Thu Jun 26 11:08:16 2008) # Network: main # Input Vectors File: inputVector1.txt

.inputs f\_X\_Raw<0> f\_X\_Raw<1> f\_X\_Raw<2> f\_X\_Raw<3> f\_X\_Raw<4> f X Raw<5> f X Raw<6> temp .latches AA.Prev\_th\_Reset\_Ini AA.state AA.timer BB.Prev\_Pk\_State BB.f\_X\_Prev\_PTSP<0> BB.f\_X\_Prev\_PTSP<1> BB.f\_X\_Prev\_PTSP<2> BB.f X Prev PTSP<3> BB.f X Prev PTSP<4> BB.f X Prev PTSP<5> BB.f X Prev PTSP<6>BB.f X t0<0>BB.f X t0<1>BB.f X t0<2> BB.f\_X\_t0<3>BB.f\_X\_t0<4>BB.f\_X\_t0<5>BB.f\_X\_t0<6>CC.f\_X\_Prev<0> CC.f X Prev<1>CC.f X Prev<2>CC.f X Prev<3>CC.f X Prev<4> CC.f X Prev<5>CC.f X Prev<6>DD.state DD.th Prev X Pretrip DD.timer

outputs th X Pretrip 

start vectors

# f\_X\_Raw<0> f\_X\_Raw<1> f\_X\_Raw<2> f\_X\_Raw<3> f\_X\_Raw<4> f X Raw<5> f X Raw<6> temp ; AA.Prev th Reset Ini AA.state AA.timer BB.Prev\_Pk\_State BB.f\_X\_Prev\_PTSP<0> BB.f\_X\_Prev\_PTSP<1> BB.f X Prev PTSP<2>BB.f X Prev PTSP<3>BB.f X Prev PTSP<4> BB.f\_X\_Prev\_PTSP<5> BB.f\_X\_Prev\_PTSP<6> BB.f\_X\_t0<0> BB.f\_X\_t0<1> BB.f\_X\_t0<2>BB.f\_X\_t0<3>BB.f\_X\_t0<4>BB.f\_X\_t0<5>BB.f\_X\_t0<6> CC.f\_X\_Prev<0>CC.f\_X\_Prev<1>CC.f\_X\_Prev<2>CC.f\_X\_Prev<3> CC.f X Prev<4>CC.f X Prev<5>CC.f X Prev<6>DD.state DD.th Prev X Pretrip DD.timer ; th X Pretrip

| 10111100;0A0T5 S1001001110111111011111S11T0;1                                |
|------------------------------------------------------------------------------|
| 10111101;0A0T5 S1001001101011110101111S11T1 ;1                               |
| 10111101;1A1T0 S011000111110111110111S11T2 ;1                                |
| 10111101;0A0T1 S4110001100101110010111S11T3;1                                |
| 10111101;0A0T2 S4110001110001111000111S11T4;1                                |
| 10111101;0A0T3 S4110001101110110111011S11T5;0                                |
| 10111101;0A0T4 S4110001111010111101011 S00T5;0                               |
| 10111100;0A0T5 S4110001100010110001011 S00T5 ;0                              |
| 10111100;0A0T5 S4110001110100111010011 S00T5;0                               |
| 10111100;0A0T5 S4110001101000110100011 S00T0;0                               |
| 10111100;0A0T5 S41100011111111011111101 S00T0;0                              |
| 10111100;0A0T5 S4110001100111010011101 S00T0 ;1                              |
| # Final State : 0 A0 T5 S4 1 1 0 0 0 1 1 0 0 1 1 1 0 1 0 0 1 1 1 0 1 S0 0 T0 |









# CBMC

CBMC (C Bounded Model Checker)

1) http://www.cprover.org/cbmc/

A Bounded Model Checker for ANSI-C and C++ programs <sup>1)</sup>

- Verifying array bounds (buffer overflows), pointer safety, exceptions and user-specified assertions
- Checking ANSI-C and C++ for consistency with other languages, such as Verilog
- Performing unwinding the loops in the program and passing the resulting equation to a decision procedure
- Supporting dynamic memory allocation using malloc and new









| e <u>E</u> dit Refac <u>t</u> or <u>N</u> avigate S                                                                                                                                                     | Se <u>a</u> rch <u>P</u> roject <u>R</u> un <u>W</u> ind | ow <u>H</u> elp    |                                                  |                                      |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|--------------------|--------------------------------------------------|--------------------------------------|
| 🖞 • 🔛 🖻 🛛 🎄 • 🚺 •                                                                                                                                                                                       | 🍳 • ] 🛷 ] 🎨 🔶 •                                          | ⇔ .                | Ê ₽c/c++                                         | F CbmcSatabs                         |
| 5- Navigator 🛛                                                                                                                                                                                          |                                                          | md2_bounds.tsk     | Bill md2_bounds.c 🕅                              |                                      |
| ¢                                                                                                                                                                                                       | -> @ [□ ⊈ ▼                                              | for $(i = 0)$      | i < 16; i++)                                     | ^                                    |
| ∃ 🗁 demo                                                                                                                                                                                                | <u>^</u>                                                 |                    | <pre>state[i] ^ block[i];</pre>                  |                                      |
| Results                                                                                                                                                                                                 |                                                          |                    |                                                  |                                      |
| i bounds tek                                                                                                                                                                                            |                                                          |                    | block (18 rounds).                               |                                      |
| CBIC fptr4.tsk                                                                                                                                                                                          |                                                          | */                 |                                                  |                                      |
| Gift int_overflow.tsk                                                                                                                                                                                   |                                                          | t = 0;             |                                                  |                                      |
| md2_bounds.tsk                                                                                                                                                                                          |                                                          |                    | : i < 18; i++) {<br>0; j < 48; j++)              |                                      |
| pointer_obj.tsk                                                                                                                                                                                         |                                                          |                    | ) ^= PI SUBST[t];                                |                                      |
|                                                                                                                                                                                                         |                                                          |                    | i) & 0xff;                                       |                                      |
| 5005 small-c++.tsk                                                                                                                                                                                      |                                                          | }                  | -,,                                              |                                      |
| threads 2 tsk                                                                                                                                                                                           | ×                                                        | <                  |                                                  | >                                    |
| Claims - SATABS - md2_bounds                                                                                                                                                                            | s.tsk ×                                                  |                    |                                                  |                                      |
|                                                                                                                                                                                                         | Check Selection Check                                    | hy File Check by P | roperty Check All Stop Selection Stop All Stop 9 | Session Terminate Session Reset Sess |
| File                                                                                                                                                                                                    | Property                                                 | coyffic checkbyr   | Description                                      | Expression                           |
| md2_bounds.c                                                                                                                                                                                            | bounds                                                   |                    | array `x' upper bound                            | 32 + i < 48                          |
| / md2_bounds.c                                                                                                                                                                                          | array bound                                              |                    | dereference failure: array `state' lower bound   | !(i < 0)    !(c::md2_bounds::MD2T    |
| / md2_bounds.c                                                                                                                                                                                          | array bound                                              |                    | dereference failure: array `state' upper bound   | !(c::md2_bounds::MD2Transform:       |
| Md2_bounds.c                                                                                                                                                                                            | array bound                                              |                    | dereference failure: array `block' lower bound   | !(i < 0)    !(c::md2_bounds::MD2T    |
| md2_bounds.c                                                                                                                                                                                            | array bound                                              |                    | dereference failure: array `block' upper bound   | !(c::md2_bounds::MD2Transform:       |
| md2_bounds.c                                                                                                                                                                                            | bounds                                                   |                    | array `x' upper bound                            | TRUE                                 |
| M md2_bounds.c                                                                                                                                                                                          | bounds                                                   |                    | array `PI_SUBST' upper bound                     | t < 256                              |
| M md2_bounds.c                                                                                                                                                                                          | bounds                                                   |                    | array `x' upper bound                            | TRUE                                 |
| M md2_bounds.c                                                                                                                                                                                          | array bound                                              |                    | dereference failure: array `block' lower bound   | !(i < 0)    !(c::md2_bounds::MD2T    |
| M md2_bounds.c                                                                                                                                                                                          | array bound                                              |                    | dereference failure: array `block' upper bound   | !(c::md2_bounds::MD2Transform:       |
| I wild have de                                                                                                                                                                                          | bounds                                                   |                    | arrav `PI_SUBST' upper bound                     | (t ^ (unsianed int)(*(i + block))) < |
|                                                                                                                                                                                                         |                                                          |                    |                                                  |                                      |
|                                                                                                                                                                                                         |                                                          |                    |                                                  |                                      |
| ace Problems 🏭 Log 🛛                                                                                                                                                                                    |                                                          |                    |                                                  |                                      |
| ace Problems Bill Log &                                                                                                                                                                                 |                                                          |                    |                                                  |                                      |
| wind bounds.c<br>Problems Log X<br>unning Cadence SMV: smv -force<br>adence SMV produced counterex<br>imulating abstract transitions of c                                                               | ample                                                    | ogram              |                                                  |                                      |
| race Problems String Log Structuring Cadence SMV: smv -force<br>Cadence SMV produced counterex<br>imulating abstract transitions of c                                                                   | ample                                                    | ogram              |                                                  |                                      |
| race Problems Store Log &<br>unning Cadence SMV: smv -force<br>cadence SMV produced counterex<br>imulating abstract transitions of o<br>purious transition found<br>race is spurious                    | ample                                                    | ogram              |                                                  |                                      |
| ace Problems BUE Log &<br>unning Cadence SMV: smv -force<br>adence SMV produced counterex<br>imulating abstract transitions of o<br>purious transition found<br>trace is spurious<br>tefning transition | ample                                                    | ogram              |                                                  |                                      |
| ace Problems String Log &<br>Lunning Cadence SMV; smv -force<br>Cadence SMV produced counterex<br>imulating abstract transitions of o<br>purious transition found                                       | ample<br>counterexample on concrete pr                   | ogram              |                                                  |                                      |

DEPENDABLE SOFTWARE LABORATORY



| <u>E</u> dit Refac <u>t</u> or <u>N</u> avigate Se <u>a</u> r                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | rch <u>P</u> roject <u>R</u> un <u>W</u> indow <u>H</u> | <u>l</u> elp                                                                    |                                                                                         |                                  |                                                                        |             |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|---------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|----------------------------------|------------------------------------------------------------------------|-------------|
| 3 • 🔡 📄   🏇 • 🜔 • 💁                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | • ] 🔗 ] 🏷 🗘 • 🔿 🧃                                       | r                                                                               |                                                                                         | 📑 🛅 c/c-                         | ++ 🗄 CbmcSatabs                                                        |             |
| - Navigator 🕄                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | - D                                                     | bounds.tsk                                                                      | md2_bounds.c                                                                            | threads2.tsk                     | threads2.c 🛛                                                           |             |
| <pre> demo  composed composed</pre>                                                                                                                                                                                  | {<br>}<br>}<br>int<br>{<br>pt<br>pt                     | <pre>g=3;<br/>assert(g!=4)<br/>main()<br/>thread_t id1,<br/>thread_create</pre> |                                                                                         |                                  |                                                                        |             |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | <                                                       |                                                                                 |                                                                                         |                                  |                                                                        | >           |
| $\frac{c}{s}$ Claims - SATABS - threads2.tsk $\Sigma$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 3<br>Check Selection Check by Fi                        | le Check by Prope                                                               |                                                                                         | Selection Stop All Sto           | Session Terminate Session                                              | Reset Sessi |
| 1-1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                         |                                                                                 |                                                                                         |                                  |                                                                        |             |
| File                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Property                                                | De                                                                              | scription                                                                               |                                  | Expression                                                             |             |
| 1.00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Property<br>assertion                                   | De                                                                              |                                                                                         |                                  |                                                                        |             |
| 1.02                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                         | De                                                                              | scription                                                                               |                                  | Expression                                                             |             |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                                                         | De                                                                              | scription                                                                               |                                  | Expression                                                             |             |
| threads2.c                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |                                                         | De<br>as                                                                        | scription                                                                               |                                  | Expression                                                             |             |
| Trace × Problems Log                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                         | De<br>as                                                                        | scription<br>sertion                                                                    |                                  | Expression                                                             |             |
| Trace X Problems Log                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                         | De<br>as                                                                        | scription<br>sertion                                                                    |                                  | g != 4                                                                 |             |
| Trace X Problems Log<br>::CPROVER_alloc =<br>::CPROVER_alloc_size =                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                         | De<br>as                                                                        | scription<br>sertion                                                                    | Value                            | g != 4                                                                 |             |
| Trace X Problems Log<br>::CPROVER_alloc =<br>::CPROVER_alloc_size =<br>::g = 0                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                         | De<br>as                                                                        | scription<br>sertion<br>Variable<br>c::t2::arg                                          | Value                            | g != 4                                                                 |             |
| Trace X Problems Log<br>Trace X Problems Log<br>::CPROVER_alloc =<br>::CPROVER_alloc_size =<br>::g = 0<br>::11::arg = NULL                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |                                                         | De<br>as                                                                        | scription<br>sertion<br>Variable<br>c::t2::arg<br>c::t1::arg                            | Value<br>NULL<br>NULL            | g != 4                                                                 |             |
| Trace X Problems Log<br>::_CPROVER_alloc =<br>::_CPROVER_alloc_size =<br>::g = 0<br>::t1::arg = NULL<br>::g = 0                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                                                         | De<br>as                                                                        | scription<br>sertion<br>Variable<br>c::t2::arg<br>c::t1::arg<br>c::_CPROVER_alle        | Value<br>NULL<br>NULL<br>DC      | g != 4<br>g != 4<br>Type<br>void *<br>void *<br>bool [INFINITY]        |             |
| Trace X Problems Log<br>Trace X Problems Log<br>::CPROVER_alloc =<br>::CPROVER_alloc_size =<br>::g = 0<br>::t1::arg = NULL<br>::g = 0<br>::t2::arg = NULL<br>::g = 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                         | De<br>as                                                                        | scription<br>sertion<br>Variable<br>c::t2::arg<br>c::t1::arg                            | Value<br>NULL<br>NULL<br>DC<br>4 | g != 4<br>Type<br>void *<br>void *                                     |             |
| Trace X Problems Log<br>Trace X Problems Log |                                                         | De<br>as                                                                        | scription<br>sertion<br>Variable<br>C::t2::arg<br>C::t1::arg<br>C::CPROVER_allo<br>C::g | Value<br>NULL<br>NULL<br>DC<br>4 | g != 4<br>g != 4<br>Type<br>void *<br>void *<br>bool [INFINITY]<br>int |             |
| Trace ×         Problems         Log           Trace ×                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                         | De<br>as                                                                        | scription<br>sertion<br>Variable<br>C::t2::arg<br>C::t1::arg<br>C::CPROVER_allo<br>C::g | Value<br>NULL<br>NULL<br>DC<br>4 | g != 4<br>g != 4<br>Type<br>void *<br>void *<br>bool [INFINITY]<br>int |             |
| Trace ×         Problems         Log           Trace ×                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                         | De<br>as                                                                        | scription<br>sertion<br>Variable<br>C::t2::arg<br>C::t1::arg<br>C::CPROVER_allo<br>C::g | Value<br>NULL<br>NULL<br>DC<br>4 | g != 4<br>g != 4<br>Type<br>void *<br>void *<br>bool [INFINITY]<br>int |             |
| Trace ×         Problems         Log           Trace ×                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                         | De<br>as                                                                        | scription<br>sertion<br>Variable<br>C::t2::arg<br>C::t1::arg<br>C::CPROVER_allo<br>C::g | Value<br>NULL<br>NULL<br>DC<br>4 | g != 4<br>g != 4<br>Type<br>void *<br>void *<br>bool [INFINITY]<br>int |             |

DEPENDABLE SOFTWARE LABORATORY



# HyTech

#### HyTech

1) http://embedded.eecs.berkeley.edu/research/hytech/

An automatic tool for the analysis of a linear hybrid system with temporal requirements<sup>1)</sup>

- Hybrid systems are specified as collections of automata with discrete and continuous components
- Temporal requirements are verified by polyhedral model checking
- Input: Linear hybrid automata (discrete + continuous variables)
   + closed system (no external input)
- No GUI









36

90

0.2 sec.

| A Ubuntu [실행 중] - Oracle VM VirtualBox                                                                                                                                                                                                       | and the second sec |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 머신(M) 보기(V) 장치(D) 도움말(H)                                                                                                                                                                                                                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| jaeyeon@jaeyeon-VirtualBox: ~/HyTech_li                                                                                                                                                                                                      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| HyTech: symbolic model checker for<br>Version 1.04f (last modified 1/24,<br>For more info:<br>email: hytech@eecs.berkeley.ed<br>http://www.eecs.berkeley.edu/-<br>warning: Input has changed from ve<br>e=================================== | /02) from v1.04a of 12/6/96<br>du<br>~tah/HyTech<br>ersion 1.00(a). Use -i for more info                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| Number of iterations required for<br>====== Generating trace to specif<br>Time: 0.000<br>Location: closed.g.inflow 3                                                                                                                         |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|                                                                                                                                                                                                                                              | & closing_time = 0                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| Time: 0.000<br>Location: closed.q1.inflow_3                                                                                                                                                                                                  | & closing_time = 0 & 4inflow + 39 = 0 & 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| VIA: on_off_e_1                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| Time: 0.000<br>Location: open.q.inflow_3<br>on_off = 1 & contents = 0<br>= 0                                                                                                                                                                 | & closing_time = 0 & 4inflow + 39 = 0 & 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| VIA 9.750 time units                                                                                                                                                                                                                         |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| Time: 9.750<br>Location: open.q.inflow_3<br>on_off = 1 & 4contents = 39<br>39<br>VIA:                                                                                                                                                        | 9 & closing_time = 0 & inflow = 0 & 4t =                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
|                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |



the gate is always fully closed.



### SpaceEx

#### ∎ SpaceEx

1) http://spaceex.imag.fr/

A tool platform is designed to facilitate the implementation of algorithms related to reachability and safety verification of hybrid systems <sup>1)</sup>

- Safety and reachacility verification
- Input: SX language (Hybrid automata)
   + Non-linear hybrid automata
- Supporting External inputs
- But, hard to interpret counter-examples















# **Statechart Diagram**



# **Statechart Diagram**

- Every object takes <u>a finite number of different states</u> during its life.
- State machine (=Statechart) diagram is used as follows:
  - to model the possible states of a system or object
  - to show how state transitions occur as a consequence of events
  - to show what behavior the system or object exhibits in each state



#### State

- States : nodes of the state machine
- When a state is active, •
  - The object (or system) is in that state.
  - All internal activities specified in this state can be executed.
    - An activity can consist of multiple actions.
- State operations ٠
  - entry / Activity(...)
    - Executed when the object enters the state
  - exit / Activity(...)
    - Executed when the object exits the state
  - do / Activity(...)
    - Executed while the object remains in this state
    - : Initial state Pseudostate
    - : Final state Real state
    - : Terminate node Pseudostate

entry/Activity(...) do/Activity(...) exit/Activity(...)





#### S

Х

NDABLE SOFTWARE ABORATORY



е

S

#### **Transition**

• Change from one state to another







#### **Transition : Examples**



#### If event1 occurs

- Object leaves state1 and Activity2 is executed
- Activity3 is executed
- Object enters state1 and Activity1 is executed







As soon as the execution of A1 is finished, a

completion event is generated; if g1 evaluates to true, the transition takes place; If not, this transition can never happen.



# **Transition - Sequence of Activity Executions**

• Assume **S1** is active ... what is the value of **x** after **e** occurred?



**S1** becomes active, **x** is set to the value **4** 

- e occurs, the guard is checked and evaluates to true
- **S1** is left, **x** is set to **5**

The transition takes place,  $\mathbf{x}$  is set to **10** 

**S2** is entered,  $\mathbf{x}$  is set to **11** 





# **Composite State**

- Synonyms: complex state, nested state ( $\rightarrow$ **OR state**)
- Contains other states  $\rightarrow$  "substates"
  - Only one of its substates is active at any point in time.
  - Arbitrary nesting depth of substates







# **Example : Entering a Composite State**

- Transition to the boundary
  - Initial node of composite state is activated.

| Event     | State   | Executed<br>Activities |
|-----------|---------|------------------------|
| Beginning | S3      |                        |
| e2        | S1/S1.1 | a0-a2-a3-a4            |







# **Example : Entering a Composite State**







# **Example : Exiting from a Composite State**







# **Example : Exiting from a Composite State**







# **Example : Exiting from a Composite State**

• Completion transition from the composite state

| Event     | State   | Executed<br>Activities |
|-----------|---------|------------------------|
| Beginning | S1/S1.1 | a3-a4                  |
| e4        | S1/S1.2 | a6-a7                  |
| e4        | S2      | a8-a5-a1               |







# **Orthogonal State**

- Composite state is divided into two or more regions separated by a dashed I ine. (→ AND State)
  - One state of each region is always active at any point in time,
  - concurrent substates
- Entry: Transition to the boundary of the orthogonal state activates the initial states of all regions.
- Exit: Final state must be reached in all regions to trigger completion event.



# Submachine State (SMS)



- To reuse parts of state machine diagrams in other state machine diagrams
  - Notation: state:submachineState
- As soon as the submachine state is activated, the behavior of the submachine ne is executed.
  - Corresponds to calling a subroutine in programming languages







### **History State**

- To remembers which substate of a composite state was the last active one
  - Activates the "old" substate and all entry activities are conducted sequentially fro m the outside to the inside of the composite state
- Shallow history state restores the state that is on the same level of the composite state.
- <u>Deep history state</u> restores the last active substate over the entire nesting depth.







| Event     | State        |
|-----------|--------------|
| Beginning | S5           |
| e1        | S4/S1/S1.1   |
| e2        | S1.2         |
| e10       | S5           |
| e9        | (H→) S1/S1.1 |







| Event     | State      |
|-----------|------------|
| Beginning | S5         |
| e1        | S4/S1/S1.1 |
| e2        | S1.2       |
| e10       | S5         |
| e8        | (H*→) S1.2 |







| Event     | State        |
|-----------|--------------|
| Beginning | S5           |
| e9        | (H→) S1/S1.1 |







| Event     | State         |
|-----------|---------------|
| Beginning | S5            |
| e8        | (H*→) S3/S3.1 |





# More Examples : Vending Machine







#### **More Examples : Keyboard**







#### **More Examples : Cruise Control System**











## **Statecharts Modeling**



### **Statechart Modeling - CVM**

- Let's perform the Statechart modeling for CVM (Coffee Vending Machine).
  - Consisting of one or several control SW(s) and various HWs
- Modeling tool:
  - StarUML
  - YAKINDU Statecharts
  - 종이와 연필
- Modeling features
  - Common CVMs
  - 5 different coffees with different value : input
  - Coins : 50, 100, 500, 1000 : input
  - Refund : output
  - Out-of-services : output
  - Vending : output







### **CVM - A Draft Architecture**







### **CVM – A StarUML Example**











## Example : 커피 자판기 모델 (YAKINDU Statecharts)



a



### **YAKINDU Statechart Tool**

- YAKINDU statechart tool
  - https://www.itemis.com/en/yakindu/state-machine/





## Example : 커피 자판기 모델 (YAKINDU Statecharts)







## 커피 자판기 모델

- It consists of 2 state and 1 orthogonal state (with 4 region)
  - 1. Off state
  - 2. Refund state
  - 3. Operation state (orthogonal state)
    - 동전 (Coin\_region)
    - 추출 (Operation\_region)
    - 보충 (Material\_region)
    - 알람 (Alarm\_region)



## 커피 자판기 모델

- Definition of the event and variable
  - Each event has a valuable data type

@CycleBased(200)

interface start: in event on in event off

interface user: in event insertCoin : integer in event refund in event specialMilk in event milk in event specialBlack in event alarm

interface machine: var currentCoin : integer var currentMilk : integer = 1000 var currentWater : integer = 1000 var currentCoffee : integer = 500 var stay : boolean = false

interface manager: in event fillWater : integer in event fillCoffee : integer in event fillMilk : integer in event stop in event start // Define events and // and variables here.



KONKUK UNIVERSITY



### **Off state**

- 자판기의 off 상태 표시
  - Start event를 통해서 off/operation state로의 전환 담당







### **On\_operation state - Coin\_region**

- 자판기 사용을 위한 동전 삽입 region
  - Stay 상태에서 언제든 삽입 가능





### **On\_operation state - Operation\_region**

- 자판기 에서 추출을 위한 부분
  - 3 종류의 커피 추출 (specialMilk, milk, specialBlack)
  - 추출 이벤트에 따라 재료 확인 후 일정 시간 후 추출
    - 재료 부족 시 알람 이벤트 및 일정 시간 이후에 환불 진행







### **On\_operation state - Operation\_region**

• An example of the specialMilk







### **On\_operation state - Material\_region**

- 재료 보충 관련 region
  - Coin\_region을 stop으로 변경 후 재료 보충 진행







### **On\_operation state - Alarm\_region**

- Alarm 관련 region
  - 알람 이벤트 후 일정 시간 후 off







### **Refund state**

• 환불 event, 재료 부족 event에 따라 환불 진행하는 state







# SIMULATION





### Simulation





### Simulation

• Insert the event and value in simulation proper

|        |                                                       |              | +                |
|--------|-------------------------------------------------------|--------------|------------------|
| coffee | _main [active]                                        | ✓ ♥ 00:00:07 | .600             |
| Name   | 9                                                     | Value        |                  |
| ~ ≣    | start                                                 |              |                  |
|        | P on                                                  |              |                  |
|        | l <sup>⊳</sup> off                                    |              |                  |
| × 🗐    | luser                                                 |              |                  |
|        | insertCoin                                            | 0            |                  |
|        | refund                                                |              | Event with value |
|        | SpecialMilk                                           |              |                  |
|        | P <u>milk</u>                                         |              |                  |
|        | SpecialBlack                                          |              |                  |
|        | P <u>alarm</u>                                        |              |                  |
| × =,   | machine<br>(x) currentCoin                            | 0            |                  |
|        | (x) currentMilk                                       | 1000         |                  |
|        | (X) currentWater                                      | 1000         |                  |
|        | (X) currentCoffee                                     | 500          |                  |
|        | (x) stay                                              | ☐ false      |                  |
| ~ ≣    | manager                                               |              |                  |
|        | P fillWater                                           | 0            |                  |
|        | P fillCoffee                                          | 0            |                  |
|        | P fillMilk                                            | 0            |                  |
|        | ▶ stop                                                |              |                  |
|        | ► start                                               |              |                  |
| ▼ ■    | time events                                           |              |                  |
|        | Coffee_specialMilk_time_eve                           |              |                  |
|        | Prepare_coffee_time_event_0                           |              |                  |
|        | Mix_water_time_event_0                                | 0            |                  |
|        | Mix_milk_time_event_0                                 | 0            |                  |
|        | end_time_event_0                                      | 0            |                  |
|        | Coffee_milk_time_event_0                              | 0            |                  |
|        | Prepare_coffee_time_event_0<br>Mix_water_time_event_0 | 0            |                  |
|        | Mix_water_time_event_0                                | 0            |                  |
|        | end_time_event_0                                      | 0            |                  |
|        | Coffee_specialBlack_time_ev                           | -            |                  |
|        | Prepare_coffee_time_event_0                           |              |                  |
|        | Mix_water_time_event_0                                | 0            |                  |
|        | end_time_event_0                                      | 0            |                  |
|        | Fill_water_time_event_0                               | 0            |                  |
|        | Fill_milk_time_event_0                                | 0            |                  |
|        | Fill_coffee_time_event_0                              | 0            |                  |
|        | Alarm_on_time_event_0                                 | 0            |                  |
|        | refund_time_event_0                                   | 0            |                  |
| 1      |                                                       |              | 200              |

KU KONKUK UNIVERSITY





### Simulation







### Simulation [1/4]







- ø ×

### Simulation [2/4]

#### 😚 ws - Coffee\_machine/model/coffee\_main.sct - YAKINDU SCT

Eile Edit Diagram Navigate Segrch Project Bun Window Help







### Simulation [3/4]

😵 ws - Coffee\_machine/model/coffee\_main.sct - YAKINDU SCT







- ø ×

### Simulation [4/4]

#### 💸 ws - Coffee\_machine/model/coffee\_main.sct - YAKINDU SCT

<u>File Edit Diagram Navigate Search Project Bun Window H</u>elp









## Introduction to SMV



### **Model Checking**



- Model checking
  - An automatic technique for verifying properties of a finite model of a system.
- General approach:
  - Construct  $M \leftarrow$  a model of the behavior of the system
    - (given as kripke structure, finite automata). M must be finite.
  - Specify  $\phi \leftarrow$  a property expected of the system (given as Temporal Logic)
  - Check that *M* satisfies  $\phi$ , if not , produce counter-example.
- Examples of model checking tools:
  - SMV, SPIN, UPPAAL, Kronos





### **SMV: Symbolic Model Verifier**

- Ken McMillan
  - Symbolic Model Checking: An Approach to State Explosion Problem, 1993
- Modeling Language
  - Modularized and hierarchical descriptions
  - Finite data types: boolean, enum, int, etc.
  - Array, loops, if-close, etc.
  - Non-determinism, parallel execution
- Property specification Language
  - CTL and LTL
  - safety, liveness, deadlock
  - Fairness
- Cadence SMV: command line and GUI for Windows / Linux / Sun-OS
  - Other SMV versions: CMU-SMV, NuSMV

| ₩ Sample.smv                                                                     | -         |   | ×            |
|----------------------------------------------------------------------------------|-----------|---|--------------|
| <u>File P</u> rop <u>V</u> iew <u>G</u> oto H <u>i</u> story <u>A</u> bstraction |           |   | <u>H</u> elp |
| Browser Properties Results Cone Using Groups                                     |           |   |              |
| Name Layer                                                                       |           |   |              |
|                                                                                  |           |   |              |
|                                                                                  |           |   |              |
|                                                                                  |           |   |              |
|                                                                                  |           |   |              |
|                                                                                  |           |   |              |
|                                                                                  |           |   |              |
|                                                                                  | _         | _ |              |
| <u>S</u> ource <u>I</u> race <u>L</u> og                                         |           |   |              |
| Fil <u>e</u> Sho <u>w</u>                                                        |           |   |              |
| main undefined                                                                   |           | _ | -            |
| MODULE main                                                                      |           |   |              |
| VAR                                                                              |           |   |              |
| request: boolean;<br>state: {ready, busy};                                       |           |   |              |
| ASSIGN                                                                           |           |   |              |
| <pre>init(state) := ready;</pre>                                                 |           |   |              |
| next(state) :=<br>case                                                           |           |   |              |
| <pre>state=ready &amp; request: busy;</pre>                                      |           |   |              |
| TRUE: {ready, busy};<br>esac;                                                    |           |   |              |
| LTLSPEC G(request -> F (state = busy))                                           |           |   |              |
| HIBFEC G(LEQUESC -> r (State - Suby))                                            |           |   |              |
|                                                                                  |           |   |              |
|                                                                                  |           |   |              |
|                                                                                  |           |   |              |
|                                                                                  |           |   | -            |
|                                                                                  | i-search: |   |              |



### NuSMV

- Re-implementation at IRST
- http://nusmv.fbk.eu/



#### NuSMV: a new symbolic model checker

### NEWN NuSMV 2.6.0 is OUT!

**NEWN**<u>nuXmv 1.0.0</u> a new symbolic model checker for the analysis of synchronous finite-state and infinite-state systems is OUT

NuSMV 2.6.0 is a major release that comes after four years passed working under the surface. The release provides some new features, many bug fixes and optimizations, and substantial differences in the software architecture and building system.

KONKUK

Follow this link to retrieve a copy.

Read the announce for NuSMV 2.6.0. Read the announce for NuSMV 2.5.4. Read the announce for NuSMV 2.5.3. Read the announce for NuSMV 2.5.2 Read the announce for NuSMV 2.5.1 Read the announce for NuSMV 2.5.0. Read the announce for NuSMV 2.4.3. Read the announce for NuSMV 2.4.2. Read the announce for NuSMV 2.4.1. Read the announce for NuSMV 2.4.0. Read the announce for NuSMV 2.3.1. Read the announce for NuSMV 2.3.0. Read the announce for NuSMV 2.2.5. Read the announce for NuSMV 2.2.4. Read the announce for NuSMV 2.2.3. Read the announce for NuSMV 2.2.2. Read the announce for NuSMV 2.2.1. Read the announce for NuSMV 2.2. Read the announce for NuSMV 2.1. Read the announce for NuSMV 2.

Links to some projects using NuSMV

### NuSMV 2 is OpenSource!

New versions of NuSMV are distributed under the <u>LGPL v2.1</u> license. This is an Open Source license that allows free academic and commercial usage of NuSMV. For further information follow <u>this link</u>.



NuSMV is a symbolic model checker developed as a joint project between





## **Running NuSMV (Interactively)**

### NuSMV -int

– Runs NuSMV in interactive mode

### read\_model –i <filename>

- Reads a system spec. from file

### • go

- Builds the internal representation of the model

### check\_fsm

Checks whet

### compute\_reachable

- Computes set of reachable states first
- The model checking algorithm traverses only the set of reachable states instead of complete state space.
- Useful if reachable state space is a small fraction of total state space
- check\_ctlspec [check\_ltlspec]
  - Checks all the CTL properties [LTL properties] included in the file





### **A Sample SMV Program**



```
LTLSPEC G(request -> F (state = busy))
```



### NuSMV

NuSMV provides:

- **1**. A language for describing finite state models of systems
  - Reasonably expressive
  - Allows for modular construction of models
- 2. Model checking algorithms for checking specifications written in LTL and CTL (and some other logics) against finite state machines.

## A first SMV program

```
MODULE main
VAR
b0 : boolean
ASSIGN
init(b0) := FALSE;
next(b0) := !b0;
```

An SMV program consists of:

- Declarations of state variables (b0 in the example); these determine the state space of the model.
- Assignments that constrain the valid initial states (init(b0) := FALSE).
- Assignments that constrain the transition relation (next(b0) := !b0).

## **Declaring state variables**

SMV data types include:

boolean:

x : boolean;

### enumeration:

```
st : {ready, busy, waiting, stopped};
```

bounded integers (intervals):

n : 1..8;

arrays and bit-vectors

```
arr : array 0..3 of {red, green, blue};
bv : signed word[8];
```

### Assignments

### initialisation:

ASSIGN
init(x) := expression ;
progression:
ASSIGN
next(x) := expression ;

ASSIGN

y := expression ;

y := expression ;

### immediate:

or

DEFINE

### Assignments

- If no init() assignment is specified for a variable, then it is initialised non-deterministically;
- If no next() assignment is specified, then it evolves nondeterministically. i.e. it is unconstrained.
  - Unconstrained variables can be used to model nondeterministic inputs to the system.
- Immediate assignments constrain the current value of a variable in terms of the current values of other variables.
  - Immediate assignments can be used to model outputs of the system.

### Expressions

| expr | ::= | atom                           | symbolic constant   |
|------|-----|--------------------------------|---------------------|
|      |     | number                         | numeric constant    |
|      |     | id                             | variable identifier |
|      |     | ! expr                         | logical not         |
|      |     | $expr \bowtie expr$            | binary operation    |
|      |     | expr[expr]                     | array lookup        |
|      |     | $\texttt{next}(\mathit{expr})$ | next value          |
|      |     | case_expr                      |                     |
|      |     | set_expr                       |                     |

where  $\bowtie \in \{\&, |, +, -, *, /, =, !=, <, <=, ...\}$ 

### **Case Expression**

 $case\_expr::=$  case  $expr_{a1}$  :  $expr_{b1}$ ;  $\dots$   $expr_{an}$  :  $expr_{bn}$ ; esac

- Guards are evaluated sequentially.
- The first true guard determines the resulting value

Expressions in SMV do not necessarily evaluate to one value.

- In general, they can represent a set of possible values. init(var) := {a,b,c} union {x,y,z} ;
- destination (lhs) can take any value in the set represented by the set expression (rhs)
- constant c is a syntactic abbreviation for singleton {c}

# **LTL Specifications**

- LTL properties are specified with the keyword LTLSPEC: LTLSPEC <ltl\_expression> ;
- <ltl\_expression> can contain the temporal operators:
   X\_ F\_ G\_ \_U\_
- E.g. condition out = 0 holds until reset becomes false: LTLSPEC (out = 0) U (!reset)

# **ATM Example**

```
MODULE main
VAR.
  state: {welcome, enterPin, tryAgain, askAmount,
         thanksGoodbye, sorry};
  action: {cardIn, correctPin, wrongPin, ack, cancel,
          fundsOK, problem, none};
ASSIGN
  init(state) := welcome;
 next(state) := case
    state = welcome & action = cardIn : enterPin;
    state = enterPin & action = correctPin : askAmount ;
   state = enterPin & action = wrongPin : tryAgain;
   state = tryAgain & action = ack
                                     : enterPin;
   state = askAmount & action = fundsOK : thanksGoodbye;
   state = askAmount & action = problem : sorry;
    state = enterPin & action = cancel
                                          : thanksGoodbye;
   TRUE
                                          : state;
  esac;
LTLSPEC F( G state = thanksGoodbye
                                        Model을 수정해서 해당
           | G state = sorry
                                       Spec.을 만족하게끔 합니다!
        );
```

# **Running NuSMV**

#### Batch

\$ NuSMV atm.smv

#### Interactive

- \$ NuSMV -int atm.smv
  NuSMV > go
  NuSMV > check\_ltlspec
  NuSMV > quit
  - go abbreviates the sequence of commands read\_model,
    flatten\_hierarchy, encode\_variables, build\_model.
  - For command options, use -h or look in the NuSMV User Manual.

# **Expected Failure**

```
NuSMV > check_ltlspec
-- specification F ( G state = thanksGoodbye
                      | G state = sorry) is false
-- as demonstrated by the following execution sequence
Trace Description: LTL Counterexample
Trace Type: Counterexample
-> State: 1.1 <-
  state = welcome
  input = cardIn
-> State: 1.2 <-
  state = enterPin
  input = correctPin
-- Loop starts here
-> State: 1.3 <-
  state = askAmount
  input = ack
-> State: 1.4 <-
```

### **Unexpected** Failure

```
-- specification
    ( F ( G !(state = askAmount)) ->
     F ( G state = thanksGoodbye | G state = sorry))
        is false
-- as demonstrated by the following execution sequence
Trace Description: LTL Counterexample
Trace Type: Counterexample
-> State: 2.1 <-
  state = welcome
  input = cardIn
-- Loop starts here
-> State: 2.2 <-
  state = enterPin
  input = ack
-> State: 2.3 <-
```

#### Success

#### C:\WINDOWS\system32\cmd.exe

```
C:#Users#JUNBEOM_YOO>NuSMV_ATM.smv
*** This is NuSMV 2.6.0 (compiled on Wed Oct 14 15:37:51 2015)
*** Enabled addons are: compass
*** For more information on NuSMV see <http://nusmv.fbk.eu>
*** or email to <nusmv-users@list.fbk.eu>.
*** Please report bugs to <Please report bugs to <nusmv-users@fbk.eu>>
*** Copyright (c) 2010-2014, Fondazione Bruno Kessler
*** This version of NuSMV is linked to the CUDD library version 2.4.1
*** Copyright (c) 1995-2004. Regents of the University of Colorado
*** This version of NuSMV is linked to the MiniSat SAT solver.
*** See http://minisat.se/MiniSat.html
*** Copyright (c) 2003–2006, Niklas Een, Niklas Sorensson
*** Copyright (c) 2007-2010. Niklas Sorensson
--specification F ( G state = thanksGoodbye | G state = sorry) is false
 - as demonstrated by the following execution sequence
Trace Description: LTL Counterexample
Trace Type: Counterexample
 -> State: 1.1 <-
   state = welcome
   action = cardIn
 -> State: 1.2 <-
   state = enterPin
   action = correctPin
 -- Loop starts here
 -> State: 1.3 <-
   state = askAmount
   action = ack
 -> State: 1.4 <-
 - specification ( F ( G !(state = askAmount)) ->  F ( G state = thanksGoodbye |  G state = sorry))  is false
 - as demonstrated by the following execution sequence
Trace Description: LTL Counterexample
Trace Type: Counterexample
 -> State: 2.1 <-
   state = welcome
   action = cardIn
 -- Loop starts here
 -> State: 2.2 <-
   state = enterPin
   action = ack
 -> State: 2.3 <-
 - specification ( G (((state = welcome -> F action = cardIn) & (state = enterPin -> F (state = enterPin & (action = correctPin | action =
 cancel)))) & (state = askAmount -> F (action = fundsOK | action = problem))) -> F ( G state = thanksGoodbye | G state = sorry)) is true
```

×

# Modules

```
MODULE counter
VAR digit : 0..9;
ASSIGN
    init(digit) := 0;
    next(digit) := (digit + 1) mod 10;
MODULE main
VAR c0 : counter;
    c1 : counter;
    sum : 0..99;
ASSIGN
    sum := c0.digit + 10 * c1.digit;
```

- Modules are instantiated in other modules. The instantiation is performed inside the VAR declaration of the parent module.
- In each SMV specification there must be a module main. It is the top-most module.
- All the variables declared in a module instance are visible in the module in which it has been instantiated via the dot notation (e.g., c0.digit, c1.digit).

### Modules

```
MODULE counter
VAR digit : 0..9;
ASSIGN
  init(digit) := 0;
 next(digit) := (digit + 1) mod 10;
MODULE main
VAR c0 : counter;
    c1 : counter;
    sum : 0..99;
ASSIGN
    sum := c0.digit + 10 * c1.digit;
LTLSPEC
 F sum = 13;
```

► Is this specification satisfied by this model?

-- specification F sum = 13 is false

-- as demonstrated by the following execution sequence

Trace Description: LTL Counterexample

Trace Type: Counterexample

- -- Loop starts here
- -> State: 1.1 <
  - c0.digit = 0
  - c1.digit = 0
  - sum = 0
- -> State: 1.2 <c0.digit = 1
  - c1.digit = 1
  - sum = 11
- -> State: 1.3 <
  - c0.digit = 2
  - c1.digit = 2
  - sum = 22

. . .





KU KONKUK

# Modules with parameters

```
MODULE counter(inc)
VAR digit : 0..9;
ASSIGN
  init(digit) := 0;
  next(digit) := inc ? (digit + 1) mod 10
                      : digit;
DEFINE top := digit = 9;
MODULE main
VAR c0 : counter(TRUE);
    c1 : counter(c0.top);
    sum : 0..99;
ASSIGN
  sum := c0.digit + 10 * c1.digit;
```

- Formal parameters (inc) are substituted with the actual parameters (TRUE, c0.top) when the module is instantiated.
- Actual parameters can be any legal expression.
- Actual parameters are passed by reference.

#### -- specification F sum = 13 is true

| on 선택 C:\WINDOWS\#system32\cmd.exe                                                                                                                                                                                                                                                                                                                                                               | _ | × |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|---|
| C:₩Users₩JUNBEOM YOO>NuSMV Module2.smv<br>*** This is NuSMV 2.6.0 (compiled on Wed Oct 14 15:37:51 2015)<br>*** Enabled addons are: compass<br>*** For more information on NuSMV see <http: nusmv.fbk.eu=""><br/>*** or email to <nusmv-users@list.fbk.eu>.<br/>*** Please report bugs to <please <nusmv-users@fbk.eu="" bugs="" report="" to="">&gt;</please></nusmv-users@list.fbk.eu></http:> |   | ^ |
| *** Copyright (c) 2010-2014, Fondazione Bruno Kessler                                                                                                                                                                                                                                                                                                                                            |   |   |
| *** This version of NuSMV is linked to the CUDD library version 2.4.1<br>*** Copyright (c) 1995-2004, Regents of the University of Colorado                                                                                                                                                                                                                                                      |   |   |
| *** This version of NuSMV is linked to the MiniSat SAT solver.<br>*** See http://minisat.se/MiniSat.html<br>*** Copyright (c) 2003-2006, Niklas Een, Niklas Sorensson<br>*** Copyright (c) 2007-2010, Niklas Sorensson                                                                                                                                                                           |   |   |
| specification F sum = 13 is true                                                                                                                                                                                                                                                                                                                                                                 |   |   |
| C:#Users#JUNBEOM_YOO>_                                                                                                                                                                                                                                                                                                                                                                           |   |   |
|                                                                                                                                                                                                                                                                                                                                                                                                  |   |   |

### Summary

- Introduction to NuSMV
  - ► H&R Section 3.3
  - ► NuSMV Tutorial:
    - http://nusmv.fbk.eu/NuSMV/tutorial/v26/tutorial.pdf
  - ► NuSMV Start-up Guide on FV Web Page
- Next time:
  - Introduction to the practical exercise.





# **NuSMV Verification**



### The NuSMV Verification - CVM

- Let's perform the NuSMV verification upon CVM (Coffee Vending Machine).
- Modeling :
  - The SMV input program (.SMV)
  - Use your Statecharts model as a base reference.
- Formal Verification :
  - Use <u>NuSMV</u> or Cadence SMV
- Properties to verify
  - Deadlock freeness
  - Basic functions
  - Important functions
    - "100원을 넣고 커피를 누르면, 항상 커피가 나온다."
    - "동전을 넣지 않으면, 커피가 절대로 나오지 않는다."
    - "100원을 넣고 커피3을 누르면, 반드시 커피3이 나온다."
    - "환불을 누르면, 남은 금액이 환불된다."
    - "재고가 없을 때는 절대로 커피가 나오지 않는다."

| 76 Sample.smv                                                                                                                                        | -       |   | )  |
|------------------------------------------------------------------------------------------------------------------------------------------------------|---------|---|----|
| Elle <u>Prop View G</u> oto History <u>A</u> bstraction<br><u>Browser</u> Pr <u>operties</u> <u>Results</u> <u>Cone</u> Usi <u>ng</u> <u>G</u> roups |         | 1 | He |
| Name Layer                                                                                                                                           |         |   |    |
|                                                                                                                                                      |         |   |    |
|                                                                                                                                                      |         |   |    |
|                                                                                                                                                      |         |   |    |
|                                                                                                                                                      |         |   |    |
| - T - T - T                                                                                                                                          |         |   | -  |
| Source Trace Log                                                                                                                                     |         |   |    |
| File Show                                                                                                                                            |         |   |    |
| main undefined<br>MODULE main                                                                                                                        |         |   |    |
| VAR                                                                                                                                                  |         |   |    |
| request: boolean;<br>state: {ready, busy};                                                                                                           |         |   |    |
| ASSIGN                                                                                                                                               |         |   |    |
| <pre>init(state) := ready;</pre>                                                                                                                     |         |   |    |
| next(state) :=<br>case                                                                                                                               |         |   |    |
| <pre>state=ready &amp; request: busy; TRUE: {ready, busy};</pre>                                                                                     |         |   |    |
| esac;                                                                                                                                                |         |   |    |
| LTLSPEC G(request -> F (state = busy))                                                                                                               |         |   |    |
|                                                                                                                                                      |         |   |    |
|                                                                                                                                                      |         |   |    |
|                                                                                                                                                      |         |   |    |
|                                                                                                                                                      |         |   |    |
|                                                                                                                                                      |         |   | _  |
|                                                                                                                                                      | i-searc |   |    |

The Cadence SMV









### Verification with symbolic model checker

- NuSMV
  - <u>NuSMV</u> is a reimplementation and extension of <u>SMV</u>, the first model checker based on BDDs. <u>NuSMV</u> has been designed to be an open architecture for model checking, which can be reliably used for the verification of industrial designs, as a core for custom verification tools, as a testbed for formal verification techniques, and applied to other research areas.





#### **MODULE** coin

- Coin 의 증가/감소에 대한 모듈
  - 증가: 0, 100, 500, 1000 중 선택하여 증가
  - 감소: 추출 시 커피의 가격에 맞게 감소

```
MODULE coin(machinestate, current coin2, coffee command)
 AR
    coin value : {0, 100, 500, 1000};
    coin_reduce : {0, 200, 300};
ASSIGN
   init(coin_value):= 0;
    next(coin_value):=
        case
        machinestate = On operation : {0, 100, 500, 1000};
       TRUE : 0;
        esac;
   init(coin reduce):= 0;
    next(coin reduce):=
        case
        machinestate = On operation & coffee command = specialMilk: 300;
        machinestate = On_operation & coffee_command = milk: 200;
        machinestate = On_operation & coffee_command = black: 300;
        TRUE : 0;
        esac;
DEFINE
   main.current_coin := current_coin2 + coin_value - coin_reduce;
```



### **MODULE timer**

- Alarm<sup>o</sup> timer
  - 1000 cycle 후 종료 하도록 timeout 전달

```
MODULE timer
VAR
    time : 0..1000;
ASSIGN
    init(time) := 0;
    next(time) := (time + 1) mod 1000;
DEFINE
    timeout_alarm := time mod 1000 = 0;
```





#### **MODULE** alarm

- 재료 부족 시 알람에 대한 모듈
  - 재료 부족이 TRUE일 경우 alarm on
  - 일정 시간 이후 (timeout) off로 전환

```
MODULE alarm(material_lack, timeout)
VAR
    alarm_on : boolean;

ASSIGN
    init(alarm_on) := FALSE;
    next(alarm_on) :=
        case
        material_lack = TRUE : TRUE;
        timeout.timeout_alarm = TRUE : FALSE;
        TRUE : FALSE;
        esac;
```





### **MODULE** main

- Vending machine<sup>o</sup>| main
  - 현재 머신의 상태 관리 (off, on\_operation, refund)
  - 현재 머신의 정보 저장 (water, milk, coffee, coin)
  - 다른 MODULE process (timer, alarm, coin)
  - Command에 따라 상태 변화 (onoff, refund, coffee)
  - 커피 추출에 따른 상태 변화 및 정보 변경





### **MODULE** main [VAR]

- FSM을 구성하는 모든 요소를 Variables로 표현합니다.
  - External Events / Internal Events
  - State Variables / States
- 각 변수에 대한 ASSIGN을 정의합니다.
  - Assign이 없는 변수는 random하게 (nondeterministic) 값이 할당됩니다.

```
VAR
state : {off, On_operation, refund};
onoff_command : boolean;
refund_command : boolean;
material_lack : boolean;
coffee_command : {NONE, specialMilk, milk, black};
alarm_timeout : process timer();
coin_check : process coin(state, current_coin, coffee_command);
alarm_on : process alarm(material_lack, alarm_timeout);
current_water: 0..1000;
current_milk: 0..1000;
current_coffee: 0..1000;
current_coin : 0..2000;
```



### **MODULE** main [ASSIGN]

```
init(state) := off;
next(state) :=
    state = off & onoff command = TRUE : On operation;
    state = On operation & onoff command = FALSE : off;
    state = On operation & refund command = TRUE : refund;
    state = refund : On operation;
   TRUE : state;
    esac;
init(current_milk) := 1000;
next(current_milk) :=
    current_coin >= 300 & state = On_operation & coffee_command = specialMilk & current_milk >= 20 : current milk - 20;
    current_coin >= 200 & state = On_operation & coffee_command = milk & current_milk >= 10 : current_milk - 10;
    state = On_operation & coffee_command = specialMilk & current_milk < 20 : current_milk;</pre>
    TRUE : current_milk;
    esac;
init(current_water) := 1000;
next(current_water) :=
    current_coin >= 300 & state = On_operation & coffee_command = specialMilk & current_water >= 20 : current_water - 20;
    current_coin >= 300 & state = On_operation & coffee_command = black & current_water >= 20 : current_water - 20;
    current_coin >= 200 & state = On_operation & coffee_command = milk & current_water >= 20 : current_water - 20;
    TRUE : current_water;
    esac;
init(current_coffee) := 1000;
next(current_coffee) :=
    current_coin >= 300 & state = On_operation & coffee_command = specialMilk & current_coffee >= 20 : current_coffee - 20;
    current coin \geq 300 & state = On operation & coffee command = black & current coffee \geq 30 : current coffee - 30;
    current coin >= 200 & state = On operation & coffee command = milk & current coffee >= 10 : current coffee - 10;
    TRUE : current_coffee;
    esac;
```





### **MODULE** main [ASSIGN]

```
init(coffee_command) := NONE;
next(coffee command) :=
    case
    state = On operation : {NONE, specialMilk, milk, black};
    state != On_operation : NONE;
    esac;
init(material_lack) := FALSE;
next(material_lack) :=
    case
        current_milk < 10 | current_coffee < 10 | current_water < 20 : TRUE;</pre>
        coffee_command = black & current_coffee < 30 : TRUE;</pre>
        coffee command = specialMilk & (current milk < 20 | current coffee < 20) : TRUE;
        TRUE : FALSE;
    esac;
init(current_coin) := 0;
next(current coin):=
    case
    state = off | state = On_operation : current_coin;
    state = refund : 0;
    esac;
```





#### **MODULE** main [SPEC]

```
SPEC AG EX TRUE
SPEC EF (state = off -> state = On_operation)
SPEC EF (state = On_operation -> state = off)
SPEC EF (state = On_operation -> current_coin != 0)
SPEC AF (alarm_on.alarm_on = TRUE -> alarm_on.alarm_on = FALSE)
SPEC AX (state = refund & current_coin != 0 -> current_coin = 0)
SPEC AX (current_coin = 300 & state = On_operation & coffee_command = specialMilk -> (current_coin = 0))
SPEC AX (current_coin = 500 & state = On_operation & coffee_command = black -> (current_coin = 200))
SPEC AF (current_milk = 1000 & state = On_operation & coffee_command = black -> EX(current_milk = 980))
SPEC AF (current_coffee = 1000 & state = On_operation & coffee_command = black -> EX(current_milk = 980))
SPEC AG (current_coffee < 30 & state = On_operation & coffee_command = black -> alarm_on.alarm_on =TRUE)
SPEC AG (current_milk < 20 & state = On_operation & coffee_command = black -> alarm_on.alarm_on =TRUE)
```

-- specification AG (EX TRUE) is true -- specification EF (state = off -> state = On\_operation) is true -- specification EF (state = On\_operation -> current\_coin != 0) is true -- specification AX ((state = refund & current\_coin != 0) -> current\_coin = 0) is true -- specification AX ((current\_coin = 300 & state = On\_operation) & coffee\_command = specialMilk) -> current\_coin = 0) is true -- specification AX ((current\_coin = 500 & state = On\_operation) & coffee\_command = specialMilk) -> current\_coin = 200) is true -- specification AX ((current\_milk = 1000 & state = On\_operation) & coffee\_command = specialMilk) -> EX current\_milk = 980) is true -- specification AF (((current\_milk = 1000 & state = On\_operation) & coffee\_command = black) -> EX current\_milk = 980) is true -- specification AF (((current\_coffee = 1000 & state = On\_operation) & coffee\_command = black) -> EX current\_coffee = 970) is true -- specification AF (((current\_coffee = 1000 & state = On\_operation) & coffee\_command = black) -> EX current\_coffee = 970) is true -- specification AF (alarm\_on\_alarm\_on = TRUE -> alarm\_on\_alarm\_on = FALSE) is true -- specification AG (((current\_coffee < 30 & state = On\_operation) & coffee\_command = black) -> alarm\_on\_alarm\_on = TRUE) is true -- specification AG (((current\_milk < 20 & state = On\_operation) & coffee\_command = specialMilk) -> alarm\_on\_alarm\_on = TRUE) is true





# CTL property

| No. | CTL SPEC                                                                                                      | Description                                  |
|-----|---------------------------------------------------------------------------------------------------------------|----------------------------------------------|
| 1   | SPEC AG EX TRUE                                                                                               | Deadlock                                     |
| 2   | SPEC EF (state = off -> state = On_operation)                                                                 | 머신이 off 상태 일 때 on 이 될 수 있다.                  |
| 3   | SPEC EF (state = On_operation -> state = off)                                                                 | 머신이 on 상태 일 때 off 될 수 있다.                    |
| 4   | SPEC EF (state = On_operation -> current_coin != 0)                                                           | 머신이 on 상태일 때 코인이 증가할 수 있다.                   |
| 5   | SPEC AF (alarm_on.alarm_on = TRUE -> alarm_on.alarm_on = FALSE)                                               | 알람이 on 이면 항상 미래에 off가 된다.                    |
| 6   | SPEC AX (state = refund & current_coin != 0 -> current_coin = 0)                                              | Refund state 이면 항상 다음에 coin이 초기화 된다.         |
| 7   | SPEC AX (current_coin = 300 & state = On_operation & coffee_command = specialMilk -> (current_coin = 0))      | 300 coin을 넣고 specialMilk를 요청하면 coin이 0 이 된다. |
| 8   | SPEC AX (current_coin = 500 & state = On_operation & coffee_command = black -> (current_coin = 200))          | 500 coin을 넣고 black을 요청하면 coin이 200 이 된다.     |
| 9   | SPEC AF (current_milk = 1000 & state = On_operation & coffee_command = specialMilk -> EX(current_milk = 980)) | specialMilk를 요청하면 우유가 20 감소한다.               |
| 10  | SPEC AF (current_coffee = 1000 & state = On_operation & coffee_command = black -> EX(current_coffee = 970))   | Black을 요청하면 커피가 30 감소한다.                     |
| 11  | SPEC AG (current_coffee < 30 & state = On_operation & coffee_command = black -> alarm_on.alarm_on = TRUE)     | 커피가 30 이만일 때 black을 요청하면 항상 알람이 울린다.         |
| 12  | SPEC AG (current_milk < 20 & state = On_operation & coffee_command = specialMilk -> alarm_on.alarm_on =TRUE)  | 우유가 20 미만일 때 specialMilk를 요청하면 알람이 울린다.      |
|     |                                                                                                               |                                              |
|     |                                                                                                               |                                              |
|     |                                                                                                               |                                              |
|     |                                                                                                               |                                              |
|     |                                                                                                               |                                              |





### **The SMV Modeling Checking - Commands**

| 선택 C:₩WINDOWS₩system32₩cmd.exe - NuSMV -int                                                                                                                                                                                                                                                                                                                                               | _ | × |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|---|
| C:#Users#JUNBEOM YOO>NuSMY -int<br>*** This is NuSMY 2.6.0 (compiled on Wed Oct 14 15:37:51 2015)<br>*** Enabled addons are: compass<br>*** For more information on NuSMY see <http: nusmv.fbk.eu=""><br/>*** or email to <nusmv-users@list.fbk.eu>.<br/>*** Please report bugs to <please <nusmv-users@fbk.eu="" bugs="" report="" to="">&gt;</please></nusmv-users@list.fbk.eu></http:> |   |   |
| *** Copyright (c) 2010-2014, Fondazione Bruno Kessler                                                                                                                                                                                                                                                                                                                                     |   |   |
| *** This version of NuSMV is linked to the CUDD library version 2.4.1<br>*** Copyright (c) 1995-2004, Regents of the University of Colorado                                                                                                                                                                                                                                               |   |   |
| *** This version of NuSMV is linked to the MiniSat SAT solver.<br>*** See http://minisat.se/MiniSat.html<br>*** Copyright (c) 2003–2006, Niklas Een, Niklas Sorensson<br>*** Copyright (c) 2007–2010, Niklas Sorensson                                                                                                                                                                    |   |   |
| NuSMV > read_model -i coffee2(jbyoo).smv<br>NuSMV > go<br>WARNING *** Processes are still supported, but deprecated. ***<br>WARNING *** In the future processes may be no longer supported. ***                                                                                                                                                                                           |   |   |
| WARNING *** The model contains PROCESSes or ISAs. ***<br>WARNING *** The HRC hierarchy will not be usable. ***<br>NuSMV > check_fsm                                                                                                                                                                                                                                                       |   |   |
| ######################################                                                                                                                                                                                                                                                                                                                                                    |   |   |





### **The SMV Modeling Checking – Verification Result**

• 2 bugs seeded

| NuSMV > check_ct   spec                                                                                                                                                                                            |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| specification AG (EX TRUE) is true                                                                                                                                                                                 |
| specification EF (state = off -> state = On_operation) is true                                                                                                                                                     |
| specification AG (state = off -> (state = On_operation & state = refund)) is false                                                                                                                                 |
| as demonstrated by the following execution sequence                                                                                                                                                                |
| Trace Description: CTL Counterexample                                                                                                                                                                              |
| Trace Type: Counterexample                                                                                                                                                                                         |
| -> State: 1.1 <-                                                                                                                                                                                                   |
| state = off                                                                                                                                                                                                        |
| onoff_command = FALSE                                                                                                                                                                                              |
| refund_command = FALSE                                                                                                                                                                                             |
| material_lack = FALSE                                                                                                                                                                                              |
| coffee_command = NONE                                                                                                                                                                                              |
| alarm_timeout.time = 0                                                                                                                                                                                             |
| coin_check.coin_value = 0                                                                                                                                                                                          |
| coin_check.coin_reduce =_0                                                                                                                                                                                         |
| alarm_on.alarm_on_=_FALSE                                                                                                                                                                                          |
| current_water = 1000                                                                                                                                                                                               |
| current_milk = 1000                                                                                                                                                                                                |
| current_coffee = 1000                                                                                                                                                                                              |
| current_coin = 0                                                                                                                                                                                                   |
| alarm_timeout.timeout_alarm = TRUE                                                                                                                                                                                 |
| coin_check.main.current_coin = 0                                                                                                                                                                                   |
| specification EF (state = On_operation -> state = off) is true                                                                                                                                                     |
| specification EF (state = On_operation -> current_coin != O) is true                                                                                                                                               |
| specification AX ((state = refund & current_coin != 0) -> current_coin = 0) is true<br>specification AX (((current_coin = 300 & state = On_operation) & coffee_command = specialMilk) -> current_coin = 0) is true |
| specification AX (((current_coin = 300 & state = 0n_operation) & coffee_command = specialMilk) -> current_coin = 100) is true                                                                                      |
| specification AX (((current_coin = 500 & state = On_operation) & coffee_command = special Arrivery current_coin = 200) is true                                                                                     |
| specification AF (((current_milk = 1000 & state = On_operation) & coffee_command = specialMilk) -> EX current_milk = 980) is true                                                                                  |
| specification AF (((current_coffee = 1000 & state = On_operation) & coffee_command = black) -> EX current_coffee = 970) is true                                                                                    |
| specification AF (alarm_on.alarm_on = TRUE -> alarm_on.alarm_on = FALSE) is true                                                                                                                                   |
| specification AG (((current_coffee < 30 & state = On_operation) & coffee_command = black) -> alarm_on.alarm_on = TRUE) is true                                                                                     |
| specification AG (((current_milk < 20 & state = On_operation) & coffee_command = specialMilk) -> alarm_on.alarm_on = TRUE) is true                                                                                 |
| NUSMV > _                                                                                                                                                                                                          |
|                                                                                                                                                                                                                    |



#### **The SMV Modeling Checking - Batch Mode**

```
C:\WINDOWS\system32\cmd.exe
                                                                                                                                                    ×
                                                                                                                                               _
 :#Users#JUNBEOM YOO>NuSMV coffee2(jbyoo).smv
*** This is NuSMV 2.6.0 (compiled on Wed Oct 14 15:37:51 2015)
*** Enabled addons are: compass
*** For more information on NuSMV see <http://nusmv.fbk.eu>
*** or email to <nusmv-users@list.fbk.eu>.
*** Please report bugs to <Please report bugs to <nusmv-users@fbk.eu>>
** Copyright (c) 2010-2014, Fondazione Bruno Kessler
*** This version of NuSMV is linked to the CUDD library version 2.4.1
*** Copyright (c) 1995-2004, Regents of the University of Colorado
*** This version of NuSMV is linked to the MiniSat SAT solver.
*** See http://minisat.se/MiniSat.html
*** Copyright (c) 2003–2006, Niklas Een, Niklas Sorensson
*** Copyright (c) 2007–2010, Niklas Sorensson
MARNING *** Processes are still supported, but deprecated.
MARNING *** In the future processes may be no longer supported. ***
WARNING *** The model contains PROCESSes or ISAs. ***
 ARNING *** The HRC hierarchy will not be usable. ***
 - specification AG (EX TRUE) is true
 - specification EF (state = off -> state = On_operation) is true
 - specification AG (state = off -> (state = On_operation & state = refund)) is false
- as demonstrated by the following execution sequence
race Description: CTL Counterexample
 race Type: Counterexample
 -> State: 1.1 <-
   state = off
   onoff_command = FALSE
   refund_command = FALSE
   material_lack = FALSE
   coffee_command = NONE
   alarm_timeout.time = 0
   coin_check.coin_value = 0
   coin_check.coin_reduce = 0
   alarm_on.alarm_on = FALSE
   current_water = 1000
   current_milk = 1000
   current_coffee = 1000
   current_coin = 0
   alarm_timeout.timeout_alarm = TRUE
   coin_check.main.current_coin = 0
  specification EF (state = On_operation -> state = off) is true
  specification EF (state = On_operation -> current_coin != 0) is true
  specification AX ((state = refund & current_coin != 0) -> current_coin = 0) is true
  specification AX (((current_coin = 300 & state = On_operation) & coffee_command = specialMilk) -> current_coin = 0) is true
  specification AX (((current_coin = 300 & state = On_operation) & coffee_command = specialMilk) -> current_coin = 100) is true
  specification AX (((current_coin = 500 & state = On_operation) & coffee_command = black) -> current_coin = 200) is true specification AF (((current_milk = 1000 & state = On_operation) & coffee_command = specialMilk) -> EX current_milk = 980) is true
  specification AF (((current_coffee = 1000 & state = On_operation) & coffee_command = black) -> EX current_coffee = 970) is true
  specification AF (alarm_on.alarm_on = TRUE -> alarm_on.alarm_on = FALSE) is true
specification AG (((current_coffee < 30 & state = On_operation) & coffee_command = black) -> alarm_on.alarm_on = TRUE) is true
  specification AG (((current_milk < 20 & state = On_operation) & coffee_command = specialMilk) -> alarm_on.alarm_on = TRUE) is true
 :#Users#JUNBEOM_YOO>
```

