Context Navigation

source: vis_dev/vis-2.1/share/help/model_checkCmd.txt @ 14

Last change on this file since 14 was 11, checked in by cecile, 13 years ago
Add vis
File size: 17.2 KB

Line
1
2	model_check - perform fair CTL model checking on a flattened network
3	_________________________________________________________________
4
5	model_check [-b] [-c] [-d <dbg_level>] [-f <dbg_file>] [-g
6	<hints_file>] [-h] [-i] [-m] [-r] [-t <time_out_period>][-v
7	<verbosity_level>] [-D <dc_level>] [-F] [-S <schedule>] [-V] [-B] [-I]
8	[-C] <ctl_file>
9
10	Performs fair CTL model checking on a flattened network. Before
11	calling this command, the user should have initialized the design by
12	calling the command [1]init_verify. Regardless of the options, no
13	'false positives' or 'false negatives' will occur: the result is
14	correct for the given circuit.
15
16	Properties to be verified should be provided as CTL formulas in the
17	file ctl_file. Note that the support of any wire referred to in a
18	formula should consist only of latches. For the precise syntax of CTL
19	formulas, see the [2]VIS CTL and LTL syntax manual.
20
21	Properties of the form AG f, where f is a formula not involving path
22	quantifiers are referred to as invariants; for such properties it may
23	be substantially faster to use the [3]check_invariant command.
24
25	A fairness constraint can be specified by invoking the
26	[4]read_fairness command; if none is specified, all paths are taken to
27	be fair. If some initial states do not lie on a fair path, the model
28	checker prints a message to this effect.
29
30	A formula passes iff it is true for all initial states of the system.
31	Therefore, in the presence of multiple initial states, if a formula
32	fails, the negation of the formula may also fail.
33
34	If a formula does not pass, a (potentially partial) proof of failure
35	(referred to as a debug trace) is demonstrated. Fair paths are
36	represented by a finite sequence of states (the stem) leading to a
37	fair cycle, i.e. a cycle on which there is a state from each fairness
38	condition. The level of detail of the proof can be specified (see
39	option -d).
40
41	Both backward (future tense CTL formulas) and forward (past tense CTL
42	formulas) model checking can be performed. Forward model checking is
43	based on Iwashita's ICCAD96 paper. Future tense CTL formulas are
44	automatically converted to past tense ones as much as possible in
45	forward model checking.
46
47	Command options:
48
49	-b
50	Use backward analysis when performing debugging; the default is
51	to use forward analysis. This should be tried when the debugger
52	spends a large amount of time when creating a path to a fair
53	cycle. This option is not compatible with forward model
54	checking option (-F).
55
56	-c
57	Use the formula tree so that there is no sharing of
58	sub-formulae among the formulae in the input file. This option
59	is useful in the following scenario - formulae A, B and C are
60	being checked in order and there is sub-formula sharing between
61	A and C. If the BDDs corresponding to the shared sub-formula is
62	huge then computation for B might not be able to finish without
63	using this option.
64
65	-d <dbg_level>
66	Specify the amount of debugging performed when the system fails
67	a formula being checked. Note that it may not always be
68	possible to give a simple counter-example to show that a
69	formula is false, since this may require enumerating all paths
70	from a state. In such a case the model checker will print a
71	message to this effect. This option is incompatible with -F.
72
73	dbg_level must be one of the following:
74
75	0: No debugging performed. dbg_level=0 is the default.
76
77	1: Debugging with minimal output: generate counter-examples for
78	universal formulas (formulas of the form AX\|AF\|AU\|AG) and
79	witnesses for existential formulas (formulas of the form
80	EX\|EF\|EU\|EG). States on a path are not further analyzed.
81
82	2: Same as dbg_level=1, but more verbose. (The subformulas are
83	printed, too.)
84
85	3: Maximal automatic debugging: as for level 1, except that
86	states occurring on paths will be recursively analyzed.
87
88	4: Manual debugging: at each state, the user is queried if more
89	feedback is desired.
90
91	-f <dbg_file>
92	Write the debugger output to dbg_file. This option is
93	incompatible with -F. Notes: when you use -d4 (interactive
94	mode), -f is not recommended, since you can't see the output of
95	vis on stdout.
96
97	-g <hints_file>
98	Use guided search. The file hints_file contains a series of
99	hints. A hint is a formula that does not contain any temporal
100	operators, so hints_file has the same syntax as a file of
101	invariants used for check_invariant. The hints are used in the
102	order given to change the transition relation. In the case of
103	least fixpoints (EF, EU), the transition relation is conjoined
104	with the hint, whereas for greatest fixpoints the transition
105	relation is disjoined with the negation of the hint. If the
106	hints are cleverly chosen, this may speed up the computation
107	considerably, because a search with the changed transition
108	relation may be much simpler than one with the original
109	transition relation, and results obtained can be reused, so
110	that we may never have to do a complicated search with the
111	original relation. Note: hints in terms of primary inputs are
112	not useful for greatest fixpoints. See also: Ravi and Somenzi,
113	Hints to accelerate symbolic traversal. CHARME'99; Bloem, Ravi,
114	and Somenzi, Efficient Decision Procedures for Model Checking
115	of Linear Time Logic Properties, CAV'99; Bloem, Ravi, and
116	Somenzi, Symbolic Guided Search for CTL Model Checking, DAC'00.
117
118	For formulae that contain both least and greatest fixpoints,
119	the behavior depends on the flag guided_search_hint_type. If it
120	is set to local (default) then every subformula is evaluated to
121	completion, using all hints in order, before the next
122	subformula is started. For pure ACTL or pure ECTL formulae, we
123	can also set guided_search_hint_type to global, in which case
124	the entire formula is evaluated for one hint before moving on
125	to the next hint, using underapproximations. The description of
126	the options for guided search can be found in the help page for
127	print_guided_search_options.
128
129	model_check will call reachability without any guided search,
130	even if -g is used. If you want to perform reachability with
131	guided search, call rch directly.
132
133	Incompatible with -F.
134
135	-h
136	Print the command usage.
137
138	-i
139	Print input values causing transitions between states during
140	debugging. Both primary and pseudo inputs are printed. This
141	option is incompatible with -F.
142
143	-m
144	Pipe debugger output through the UNIX utility more. This option
145	is incompatible with -F.
146
147	-r
148	Reduce the FSM derived from the flattened network with respect
149	to each formula being checked. By default, the FSM is reduced
150	with respect to the conjunction of the formulae in the input
151	file. If this option is used and don't cares are being used for
152	simplification, then subformula sharing is disabled (result
153	might be incorrect otherwise).
154
155	The truth of a formula may be independent of parts of the
156	network (such as when wires have been abstracted; see
157	[5]flatten_hierarchy). These parts are effectively removed when
158	this option is invoked; this may result in more efficient model
159	checking.
160
161	-t <timeOutPeriod>
162	Specify the time out period (in seconds) after which the
163	command aborts. By default this option is set to infinity.
164
165	-v <verbosity_level>
166	Specify verbosity level. This sets the amount of feedback on
167	CPU usage and code status.
168	verbosity_level must be one of the following:
169
170	0: No feedback provided. This is the default.
171
172	1: Feedback on code location.
173
174	2: Feedback on code location and CPU usage.
175
176	-B
177	Check for vacuously passing formulae using the algorithm of
178	Beer et al. (CAV97). The algorithm applies to a subset of ACTL
179	(w-ACTL) and replaces the smallest important subformula of a
180	passing property with either FALSE or TRUE depending on its
181	negation parity. It then applies model checking to the
182	resulting witness formula. If the witness formula also passes,
183	then the original formula is deemed to pass vacuously. If the
184	witness formula fails, a counterexample to it provides an
185	interesting witness to the original passing formula. See the
186	CAV97 paper for the definitions of w-ACTL, important
187	subformula, and interesting witness. In short, one of the
188	operands of a binary operator in a w-ACTL formula must be a
189	propositional formula. See also the -V option.
190
191	-C
192	Compute coverage of all observable signals in a set of CTL
193	formulae using the algorithm of Hoskote, Kam, Ho, Zhao
194	(DAC'99). If the verbosity level (-v option) is equal to 0,
195	only the coverage stats are printed. If verbosity level is
196	greater than zero, then detailed information of the computation
197	at each step of the algorithm is also provided. Debug
198	information is provided in the form of states not covered for
199	each observable signal if the dbg_level (-d option) is greater
200	than 0. The number of states printed is set by the vis
201	environment variable 'nr_uncoveredstates'. By default the
202	number of states printed is 1. The value of nr_uncoveredstates
203	can be set using the set command. See also the -I option.
204
205	-D <dc_level>
206	Specify extent to which don't cares are used to simplify MDDs
207	in model checking. Don't cares are minterms on which the values
208	taken by functions do not affect the computation; potentially,
209	these minterms can be used to simplify MDDs and reduce the time
210	taken to perform model checking. The -g flag for guided search
211	does not affect the way in which the don't-care conditions are
212	computed.
213	dc_level must be one of the following:
214
215	0 : No don't cares are used.
216
217	1 : Use unreachable states as don't cares. This is the default.
218
219	2 : Use unreachable states as don't cares and in the EU
220	computation, use 'frontiers' for image computation.
221
222	3 : First compute an overapproximation of the reachable states
223	(ARDC), and use that as the cares set. Use `frontiers' for
224	image computation. For help on controlling options for ARDC,
225	look up help on the command: [6]print_ardc_options. Refer to
226	Moon, Jang, Somenzi, Pixley, Yuan, "Approximate Reachability
227	Don't Cares for {CTL} Model Checking", ICCAD98, and to two
228	papers by Cho et al, IEEE TCAD December 1996: one is for State
229	Space Decomposition and the other is for Approximate FSM
230	Traversal.
231
232	-F
233	Use forward model checking based on Iwashita's method in
234	ICCAD96. Future tense CTL formulas are automatically converted
235	to past tense ones as much as possible. Converted forward
236	formulas are printed when verbosity is greater than 0. Debug
237	options (-b, -d, -f, -i, and -m) are ignored with this option.
238	We have seen that forward model checking was much faster than
239	backward in many cases, also forward was much slower than
240	backward in many cases.
241
242	-I
243	Compute coverage of all observable signals in a set of CTL
244	formulae using an improved algorithm of Jayakumar, Purandare,
245	Somenzi (DAC'03). If the verbosity level (-v option) is equal
246	to 0, only the coverage stats are printed. If verbosity level
247	is greater than zero, then detailed information of the
248	computation at each step of the algorithm is also provided.
249	Debug information is provided in the form of states not covered
250	for each observable signal if the dbg_level (-d option) is
251	greater than 0. The number of states printed is set by the vis
252	environment variable 'nr_uncoveredstates'. By default the
253	number of states printed is 1. The value of nr_uncoveredstates
254	can be set using the set command. Compared to the -C option,
255	this one produces more accurate results and deals with a larger
256	subset of CTL.
257
258	-S <schedule>
259	Specify schedule for GSH algorithm, which generalizes the
260	Emerson-Lei algorithm and is used to compute greatest
261	fixpoints. The choice of schedule affects the sequence in which
262	EX and EU operators are applied. It makes a difference only
263	when fairness constraints are specified.
264	<schedule> must be one of the following:
265
266	EL : EU and EX operators strictly alternate. This is the
267	default.
268
269	EL1 : EX is applied once for every application of all EUs.
270
271	EL2 : EX is applied repeatedly after each application of all
272	EUs.
273
274	budget : a hybrid of EL and EL2.
275
276	random : enabled operators are applied in (pseudo-)random
277	order.
278
279	off : GSH is disabled, and the old algorithm is used instead.
280	The old algorithm uses the EL schedule, but the termination
281	checks are less sophisticated than in GSH.
282
283	-V
284	Check for vacuously passing formulae with the algorithm of
285	Purandare and Somenzi (CAV2002). The algorithm applies to all
286	of CTL, and to both passing and failing properties. It says
287	whether a passing formula may be strengthened and still pass,
288	and whether a failing formula may be weakened and still fail.
289	It considers all leaves of a formula that are under one
290	negation parity (e.g., not descendants of a XOR or EQ node) for
291	replacement by either TRUE or FALSE. See also the -B option.
292
293	-w <node_file> This option invoked the algorithm to generate an error
294	trace divided into fated and free segements. Fate represents
295	the inevitability and free is asserted when there is no
296	inevitability. This can be formulated as a two-player
297	concurrent reachability game. The two players are the
298	environment and the system. The node_file is given To specify
299	the variables the are controlled by the system.
300
301	-W
302	This option represents the case that all input variables are
303	controlled by system.
304
305	-G
306	We proposed two algorithm to generate segemented counter example. They
307	are general and restrcited algorithm. Bu default we use
308	restricted algorithm. We can invoke general algorithm with -G
309	option. For more information, please check the STTT'04 paper of
310	Jin et al., "Fate and Free Will in Error Traces"
311
312	<ctl_file>
313	File containing CTL formulas to be model checked.
314
315	Related "set" options:
316
317	ctl_change_bracket <yes/no>
318	Vl2mv automatically converts "[]" to "<>" in node names,
319	therefore CTL parser does the same thing. However, in some
320	cases a user does not want to change node names in CTL parsing.
321	Then, use this set option by giving "no". Default is "yes".
322
323	guided_search_hint_type
324	Switches between local and global hints (see the -g option, or
325	the help page for set).
326
327	See also commands : approximate_model_check,
328	incremental_ctl_verification
329	_________________________________________________________________
330
331	Last updated on 20050519 10h16
332
333	References
334
335	1. file://localhost/projects/development/hsv/vis/common/doc/html/init_verifyCmd.html
336	2. file://localhost/projects/development/hsv/vis/common/doc/ctl/ctl/ctl.html
337	3. file://localhost/projects/development/hsv/vis/common/doc/html/check_invariantCmd.html
338	4. file://localhost/projects/development/hsv/vis/common/doc/html/read_fairnessCmd.html
339	5. file://localhost/projects/development/hsv/vis/common/doc/html/flatten_hierarchyCmd.html
340	6. file://localhost/projects/development/hsv/vis/common/doc/html/print_ardc_optionsCmd.html

Note: See TracBrowser for help on using the repository browser.

Download in other formats: