使用NuSMV进行模型检查

Question

在NuSMV中没有像NULL，nil，None这样的值吗？

而且我们不应该为流程制作模型，因为模型应该重复电子电路？

我的情况是我有一个UART连接器，一个主存储器和一个进程，后者读写主存储器并读写UART。在主内存中，名为K的数据应该保持不变。我们想要证明，如果进程不写入K' then the value of K`等于其下一个值。

我想知道我的模型是否足够精细或是否过于抽象。如果我使用了正确的数据类型。

MODULE UART (proc, output, input)
VAR state : {idle, receive, transmit};
    Rx : unsigned word [ 8 ]; --vector of bytes
    Tx : unsigned word [ 8 ];
ASSIGN
    next (Rx) :=
        case
            proc = read : input; TRUE : (Rx);
        esac;
    next (Tx) :=
        case
            proc = write : output; TRUE : (Tx);
        esac;
    next (state) :=
        case
            proc = write : receive; proc = read : transmit; TRUE : idle;
        esac;
TRANS
    proc != read -> next (Rx) = Rx;
MODULE MEM (proc, input, output)
VAR K : unsigned word [ 8 ]; data : array 0 .. 7 of array 0 .. 7 of unsigned word [ 8 ];
ASSIGN
    init (data[1][0]) := K; 
    next (K) :=
        case
            output = data[1][0] : output;
            TRUE : K;
        esac;
MODULE main
VAR proc : {idle, read, write}; input : unsigned word [ 8 ]; 
    output : unsigned word [ 8 ]; 
    memory : MEM (proc, input, output); 
    uart0 : UART (proc, input, output); 
ASSIGN init (input) := memory.data[0][0]; init (output) := memory.data[0][0];
LTLSPEC G (output != memory.data[1][0]) -> G (memory.K = next (memory.K))

Answer 1

In your post you touch many topics, I am not sure which is your main question.

Is it true that in NuSMV there is no value like NULL, nil, None?

It is true in the same sense that it is true for C. Nil is only one value within the values allowed by the given data-type. Looking at your example, it seems you do not really need it anyway, no?

And that we should not make a model for a process because the models should represent electronic circuits?

No. You can represent whatever you want as long as you do not need to create dynamic object (e.g., a malloc in C). A different issue is about synchronicity/concurrency of the processes. You can still model asynchronous processes, but it requires explicitly encoding a scheduler.

Regarding the code: I did not run it, but many things look suspicious. I would suggest you try to use NuSMV simulation commands to see how the model behaves.

• UART Module: You are only write to both Rx and Tx. Those values are never read.
• UART Module: I would suggest against mixing ASSIGN and TRANS. That is a easy way to introduce deadlocks in your model. Moreover, the TRANS that you wrote is already subsumed by the ASSIGN
• UART Module: Why do you need the state variable?
• MEM Module: I do not understand why you are using an array of array, since you are only looking at two values. I think you can abstract this part more. From your informal description, it seems like you do not need it.
• LTL: I am not sure whether the property captures what you have in mind. I would write: G ( proc != write -> (memory.K = next(memory.K)) )

If you have this example encoded in another language (e.g., C) or you can revise the description of the problem, then I can provide you with more information.