Release notes for SMV release 10-11-02p1

This release primarily adds two new model checking techniques:

Proof-based abstraction This technique uses a SAT solver to derive an abstraction for symbolic model checking. It is mainly useful for cases when a property can be proved using only a small part of the system being verified (this situation occurs commonly in RTL-level hardware verification). In such cases it often succeeds where ordinary symbolic model checking fails.
SAT-based model checking. This is a purely SAT-based technique that has some of the same virtues as the proof-based abstraction method but does not use BDD's. It may be appropriate to use this technique if the BDD-based model checker bogs down when using the proof-based abstraction method. Note, this is not the technique described in CAV02.

Both of the above are full or "unbounded" model checkers. This means that they check for counterexamples of any length, as opposed to a bounded model checker which checks for counterexamples up to a given length.

This release also includes a new SAT solver called "smvsat" which is now the default SAT solver for the various techniques that use SAT, including bounded model checking (-bmc), proof-based abstraction (-absref) and SAT-based model checking (-smcsat2). This is a "proof generating" SAT solver, meaning that in the unsatisfiable case it produces a proof of the empty clause using resolution steps. SMV can still use zChaff (or other SAT solvers) for bounded model checking, but this cannot be used with the new model checking techniques since they rely on proofs of unsatisfiability.

Release notes for SMV release 08-20-01p1

Bug fixes only.

fixed: -persist -together didn't work
fixed: bogus counterexamples with BMC
fixed: "next" applied to a formal parameter didn't work

Release notes for SMV release 08-20-01

Changes from previous release

"Bounded model checking" is now fully supported. All of SMV's types, operators and abstractions can be used with bounded model checking.
The zChaff SAT solver from Princeton is now supported.
Bounded model checking is now available under Windows.
Ordset bit vectors are now supported.
Instantiating uninterpreted functions is supported (see the tutorial).
"Lazy flattening" makes it possible to read in large hardware designs quickly (see the tutorial).
Verilog "functions" are supported.
Global options can be included in the source file.

Bugs fixes since previous release

Note, this is a very partial list.

4-30-01 fixed: false positive can occur when checking two properties that differ only in the symbolic constants used. this was a problem with the syntax hashing code.
5-22-01 fixed: -persist -together stopped after the first failed property in a group. Now, all properties in a group are checked under -persist -together, even if some are false.
6-11-01 fixed: A statement like the following:

using z prove x//L;

would sometimes case all assumed properties to be used to prove x//L, even if the assumed properties were not specified in using..prove statements.
6-12-01 fixed: Sifting sometimes caused a crash or "catastrophe" during counterexample generation. This is because a few entries were left over in the apply cache after sifting.
7-6-01 fixed: Incorrect test for complete subcases. Would give a false positive in this case:

...for f[a] = b & g[b] = a

and a false negative in this case: ...for foo=a & ((bar=a) ? x : y) = b

Release notes for SMV patch release 08-08-00p3

This is a bug fix release only.

Bugs fixed since previous release

fixed: didn't do "enumerate unknowns" on properties.
fixed: didn't detect the following multiple assignment:

if(cond)
forall(i in T) foo : bar[i];

lead to a crash.
fixed: was incorrectly reporting the name of undefined options when using the syntax option=value.
change: default abstraction heuristics will not choose a layer assignment that is "assumed", unless the user explicitly requests this. Since assumptions are dangerous, we want the user to know where assumptions are used. This is especially important if layer assignments are being used to restrict the search space for partial verification.
vw was failing to display the "verification finished" dialog when all properties are proved.
wasn't recognizing common subexpressions that differed only in bound variable names. As a result, couldn't prove properties containing quantifiers.
fixed: in the following:

forall(i in foo) x := &[x[i]: i = 0..3];

the i in x[i] was bound by the "forall" and not the i = 0..3.
fixed: incorrectly reported proof cycle in an inductive proof when subcases of a property p were named p[i]. For example:

forall(i in T){
subcase p[i] of p for v = i;
using p[i-1] prove p[i];
}
fixed: incorrectly handled expressions like the following:
next(x[i]) := x[i-1];

led to strange signal names like "x[2-1]" in the cone.
fixed: Incorrect abstraction of extremal constants in ordset types led to false positive.

Release notes for SMV patch release 08-08-00p1

This is a bug fix release only.

Bugs fixed since previous release

False positive when using "enumerate unknowns" option, when some type is reduced to to set {Nan} (i.e., no fixed constants of the type are used). You could verify, for example:

x,y : array foo of boolean;
z : foo;

p : assert G (x[z] = y[z]);
bug: dumps core when you have an unbound parameter in a type reduction declaration. e.g.:

using NAT->{n,n+1} prove p[i][j];
False positive when data type reducction did *not* include some bound parameter of the type. Ex:

ordset foo 0..;
module main(){
x : foo;
forall(i in foo)forall(j in foo){
q[i][j] : assert x=i;
using foo->{j} prove q[i][j];
}
}

Known bugs in this release

bug: dumps core when you have an unbound parameter in a type reduction declaration. e.g.:

using NAT->{n,n+1} prove p[i][j];

Release notes for SMV release 08-08-00

Changes from previous release

The option "Enumerate unknown values" is an attempt to automatically control the propagation of "bottom" or unknown values in models that have been abstracted by data type reductions. See the new tutorial section on "Propagation of unknown values".
A coarser abstraction is now used for ordset types. In this abstraction, SMV does not check separately the case where some interval (i..j) between parameters is empty or non-empty. This greatly reduces the number of cases generated.
Conditional proof statements, of the form

using p if cond prove q;
have been added. SMV uses this mechanism to support course-of-values induction. See the tutorial section on "Conditional proof statements, and course-of-values induction" for examples, including Lamport's "bakery" mutual exclusion algorithm for N processes.

Bugs fixed since previous release

m N/A

Release notes for SMV release 12-09-99

This is a bug fix release only.

Bugs fixed since previous release

10-26-99 Fixed: SMV abstraction heuristics no longer choose assignments that are subcases of other assignments
11-03-99 Fixed: if-then-else operator was non monotonic. Led to false positive!
11-04-99 Fixed: enum(x[y]) did not work if y was scalarset parameter.
11-04-99 Fixed: if initial value of a variable depends on a zero delay signal, the zero delay signal when ignored when computing the initial states.
11-04-99 Fixed: breaking symmetry of scalarset of unbounded range resulted in divergence!

The bug is not entirely fixed, however. Although the symmetry of an unbounded scalarset can be broken, assignments that have subscripts of such a type on the left-hand-side are not supported. For example, the following code doesn't work:

scalarset foo undefined;
...

x : aray foo of boolean;

breaking(foo)
x[y] := boolean;

The workaround for this is to make the type foo bounded.
11-10-99 Fixed: assignments of form x := [a,b,c,..] didn't give correct result when x was not of type array .. of boolean
11-22-99 Fixed: could not cast x[y] to a vector, where y is of scalarset type and x[y] is a scalar or undefined.
11-23-99 Fixed: a statement like

if(c)
x[a] := ...;
else
forall(i)
x[i] :=...;

(or generally, any quantifier inside an if-then-else) was treated as a multiple definition of x.
11-24-99 Change: now allow module calls inside if-then-else.
12-9-99 Fixed: Better error message produced when a parameter is used illegally on the left-hand-side of an assignment, as in:

forall(i in foo)
x[i+1] := y;

Known bugs in the release

10-26-99 Bug: If p is an assertion, then "using p prove q" will cause p[i] to be used as well, even if p[i] is a subcase.
11-04-99 Bug: Broken unbounded scalarsets not allowed as subscripts on left-hand-side of assignments (see above).

Release notes for SMV patch release 09-01-99p4

This is a bug fix release only.

Bugs fixed since previous release

10-06-99 Fixed: expressions of the form

x[y] in {a,b,c}

could cause unnecessary combinational variables. The problem was that the value of x[y] with y out of range was returned as "universe" rather then "bottom".

Release notes for SMV patch release 09-01-99p3

This is a bug fix release only.

Bugs fixed since previous release

Expressions of the form

x[y] in {a,b,c}

could result in unnecessary combinational variables. This caused some verification runs that previoiusly terminated to diverge. The problem is now fixed.

Release notes for SMV patch release 09-01-99p2

This is a bug fix release only.

Bugs fixed since previous release

Failed when X operator nested inside nonboolean op like "=". Symptom was:

@(#)report.c 3.2: apply_func_op:op=367

Now provides meaningful error message. Fix is to use boolean equivalence "<->" instead of equality "=".
Failure while checking temporal properties. Symptom was:

@(#)report.c 3.2: unref_bdd: negative reference count

This is now fixed.
Failure while reading in result file (.out) after model checking. Symptom was:

"file.out", line XX:XX: unterminated string or character constant

This is now fixed.
Failure when zero-delay and unit delay assignments are combined with "resolve". For example:

x : boolean resolve;
init(x) := 0;
x := 1;
The symptom was:

@(#)report.c 3.2: apply_func_op: op = 415

This now produces a meaningful error message.

Release notes for SMV release 09-01-99

Changes from previous release

Added scalarset bit vectors.
This makes it possible to treat bit vectors, such as address, as scalarset vectors, in both SMV and Synchronous Verilog. A scalarset bit vector can be treated as a symetric scalar quantity at a high level of abstraction and as a bit vector at a lower level. In particular, bit vectors in Synchronous Verilog can be declared as scalarsets, while maintaining "synthesizable" code, using macros for the types.
Added layer, breaking, scalarset and ordset declarations to SV
In support of the above. Should also allow some compositional verification to be done directly in SV, although the type structure of SV is still too poor to support writing abstract models.
Added an interface to the "bounded model checker" from CMU
This uses a SAT solver to search for counterexamples of a bounded depth. The bounded model checker "bmc" and the SAT solver "sato" must be installed separately. This option only works on Unix-like systems. At present, it depends on various Unix programs like sh, awk and sed, which means there may be incompatbilities due to variations in these programs on different systems.
Support for induction generalized.
Previously, SMV could not handle more than one ordset parameter in a property, thus "double induction" was impossible. This is now fixed, although the nember of representative cases generated with multiple orderset parameters of the same type can be quite large! Also, inequality operators can now be applied to ordsets.
Case splitting on non-symmetric types.
You can now split cases on a variable or expression of a non-symmetric type. The variable or expression must be statically typable, so that SMV can determine whether the specified cases are exhaustive. Thus, for example, if x is of type boolean, then the following is legal:
forall(i = 0..1) subcase bar[i] of foo for x = i;

Note, this could just as well be written out as separate subcase declarations without the loop:
subcase bar[0] of foo for x = 0; subcase bar[1] of foo for x = 1;
That is, because we do not need to obey symmetry rules, we can write out the expansion of the loop using constants. This also allows us to split cases on a variable of enumerated type, for example:
y : {red, green, blue}; subcase red_case of foo for x = red; subcase green_case of foo for x = green; subcase blue_case of foo for x = blue;
Of course, we can't use a parameterized property name, like bar[i], since array subscripts can't be of enumerated type. Notice this also means that we can split cases on any expression that can be stactically typed as boolean. Thus for example:
subcase special_mode_case of foo for (mode = special) = 1; subcase normal_mode_case of foo for (mode = special) = 0;
Added "Using" pane to VW. Displays all the assertions used to prove the current property, and whether they are assumed "upt to t", "up to t - 1" or "always".
Added SMV language pretty printer (Unix only) See smvps(1).




      Bugs fixed since previous release


  4-20-99: SMV was confusing "unkown" (i.e., bottom) with "universal
nondeterministic choice, leading to possible false positives.
7-16-99: "while" statement in smv and SV was broken.
 8-5-99: catastrophe "improve_bool" during sifting, caused by saturated
reference counts. reference counts during sifting are now unbounded. 

8-5-99: Catastrophe "improve_bool" during sifting, caused by saturated
reference counts. reference counts during sifting are now unbounded. 
8-5-99: Fixed: garbage collected far too infrequently when sifting was effective,
since the garbage collection threshold was based on the pre-sifted BDD node count.

8-11-99: Fixed: wasn't sifting during evaluation of CTL ops.

 8-24-99: Was incorrectly handling the case where an LTL property contained
a parameter not present in the property name. The symptom was a skolem constant
like "k0" appearing the the model, which in turn resulted in a syntax error in
the .out file. 

9-1-99: Some incompatibilities with CMU SMV:

  1) In old SMV modules, X, F and G should not be keywords
  2) In old SMV modules, next(x=y) should be O.K.
  3) In old SMV modules, E[p U q] should be treated as E(p U q)




      Known bugs in current release

 7-24-98 Bug: combining input/output and process

 10-20-98 Bug: vl2smv truncates parameters to 32 bits.

 10-20-98 Bug: Model checker computed bogus hash code for property
when using "Verify All" but not "Verify " (or with smv, while
not using -check ). This resulted in false positive verification
which is fixed when .smv_history is removed. Note hash codes must have
been different for "Verify All" and "Verify ". Only one property in file.
This bug may have been fixed by new hash code scheme.

 10-22-98 Bug: "Goto" in vw doesn't work when no property is specified.

 10-23-98 Bug: in mc.c, CTL formulas, XOR and IFF are not implemented monotonically

 11-7-98 Bug: When using ordsets, a combinational dependency
of i on i+1 will cause the circular dependency checking
to diverge, and finally crash when stack space is exhausted.
For example:

  ordset foo;

  x : array foo of boolean;

  forall(i in foo)
    x[i] := x[i+1];


On the other hand, next(x[i]) := x[i+1] would be O.K.
The same comment probably holds true for "refines"
declarations. For example

  spec[i] refines spec[i+1]

 1-13-98 Bug: SMV treats scalar type variables with large range in a very
inefficient way. This leads to long run times building transition relation.

 7-22-98: Abstraction heuristics shouldn't use layers that are subcases.

Since SMV doesn't take this into account, it sometimes leaves a signal
free when there is one obvious abstraction choice, but that assignment has
been subcased. Workaround is just to specify the desired layer by hand
in a using..prove declaration.

 7-22-98: scalar_to_vector doesn't handle "weak".

 An expression like "foo ? [0,1] : weak" won't be handled correctly.


8-9-99: If we break the symmetry of a scalarset bit vector, we may get a
nondeterministic chocie over vectors. Since we can't handle this, right now
the choice will simply return "bottom". However, this is likely to be very confusing
to users. See the comment in "element_of_expr()".

      


      Release notes for SMV release 03-19-99



      Changes from previous release

 Date unknown: Added "incremental search" to browser, properties and cone
panes. Incremental search doesn't work in trace pane.


      Known bugs in current release

      
 7-24-98 Bug: combining input/output and process

 10-20-98 Bug: vl2smv truncates parameters to 32 bits.

 10-20-98 Bug: Model checker computed bogus hash code for property
when using "Verify All" but not "Verify " (or with smv, while
not using -check ). This resulted in false positive verification
which is fixed when .smv_history is removed. Note hash codes must have
been different for "Verify All" and "Verify ". Only one property in file.
This bug may have been fixed by new hash code scheme.

 10-22-98 Bug: "Goto" in vw doesn't work when no property is specified.

 10-23-98 Bug: in mc.c, CTL formulas, XOR and IFF are not implemented monotonically

 11-7-98 Bug: When using ordsets, a combinational dependency
of i on i+1 will cause the circular dependency checking
to diverge, and finally crash when stack space is exhausted.
For example:

  ordset foo;

  x : array foo of boolean;

  forall(i in foo)
    x[i] := x[i+1];


On the other hand, next(x[i]) := x[i+1] would be O.K.
The same comment probably holds true for "refines"
declarations. For example

  spec[i] refines spec[i+1]

 1-13-98 Bug: SMV treats scalar type variables with large range in a very
inefficient way. This leads to long run times building transition relation.
      

      Bugs fixed since previous release


 11-11-98 Fixed: vl2smv crashed on casez. Now maps both casez and casex to case.

 11-11-98 Fixed: SMV objected to vectors as conditions in if-then-else. This is
apparently used in verilog. Semantics of vectors as conditions to i-t-e is now
as follows: the condition is the OR of all the elements of the vector. This should
be consistent with the verilog interpretation, since any non-zero vector will
yield true.

 1-12-98 Fixed: Circular proofs of temporal logic formulas (assert statements)
are now allowed provided

	1) All properties on cycle begin with "G" operator

	2) At least one using..prove declaration on the cycle
is "unit delay", thus:

	   using (x) prove y


Any used assertions on a cycle with the the assertion being proved will
be assumed only up to time t (or t-1 in unit delay case).


 2-22-98: Fixed. Seg faulted on Linux in "Explain Layer" code. 

 Date unknown: Fixed: Identical subformulas in LTL formulas caused multiple
copies of tableau variables, resulting in catastrophe in model checker.

 3-6-98: Fixed: Possible false positive (!) on AG property without
forward search.
    



      Release notes for SMV release 11-7-98



      Changes from previous release


 8-19-98 Change: Now attempts to translate LTL formulas into CTL
formulas.

 8-20-98 Change: Cleaned up the options menu in VW.

 10-14-98 Change: Allow options on command line in form option=value

 10-14-98 Change: VW no longer uses separate abstraction files for
each property. Instead, abstraction changes made by VW are stored
in a single file "file.env" for all properties. Manually created
abstraction files can still be used, with the -abs switch. However,
these files are not modified by VW, so user's comments are preserved.

 10-15-98 Change: Implemented "assume" declaration.

 10-20-98 Change: Goto (in vw) now finds both backward and forward dependencies.

 10-30-98 Changed: Added "drag and drop" to traces pane

      Bugs fixed since previous release



 7-24-98 Fixed: error when next() operator
        used outside the lhs of an assignment.


 7-27-98 Fixed: catastrophe when AG operator in "assert" statement.

 8-3-98 Fixed: vector on RHS of << caused smv to hang.

 8-4-98 Fixed: apparent circularity in the following case:

	always @(...) begin

	  if (x) begin end

          y = ...;
   	end

	assign x = y;

circularity is caused by misconstrued dependency of y on x.

 8-18-98 Fixed: Tcl error when mouse used in trace pane on
Openwindows. Caused by Tix not handling enter and leave events.

 8-19-98 Fixed: vl2smv crashes when concatenation on LHS of assignment,
e.g.:

    assign {x,y} = expr;

 8-20-98 Fixed: A single quote mark in a comment introduced by --
resulted in "unterminated string constant" error.

 8-20-98 Fixed: empty "default" in "case" caused vl2mv crash

 8-20-98 Fixed: Could not override standard options "-v 1 -f -h"
from options panel. This is now fixed. Also, on the smv command
line, the default options can be turned off with the switch "--"

 8-20-98 Fixed:  Goto menu in VW did no "zap" cause the selected
signal to be visible in the browser.


 8-20-98 Fixed: Brought man pages (closer to) up-to-date.

 8-21-98 Fixed: Using fairness constraints formulas not beginning
with a temporal op gave false negative because initial states
were not restricted to fair initial states. This in turn led
to a catastrophe during the counterexample generation.

 10-14-98 Fixed: vectors as temporal formulas, or temporal ops applied
to vectirs produced catastrophe. Now produces error message.

 10-14-98 Fixed: Catastrophe when undefined signal is assigned in a layer
when using -lax option (first found 8-17-98).

 10-14-98 Fixed: Properly inserts error messages from verification
subprocess in source file, if source file location provided.

 10-14-98 Fixed: "Requested Layer" in view menu now works

 10-15-98 Fixed: Tableau variables break variable order file syntax. As
a result, variable order files for LTL formulas could not be read back
in via -i option.

 10-15-98 Fixed: Vl2smv now supports "inout" declarations

 10-15-98 Fixed: Failed to produce looping counterexamples for
formulas not ending in EG.

 10-15-98 Fixed: Synopsys "translate_off" and "translate_on" implemented.

 10-15-98 Fixed: Now supports names begin/end blocks and local variables
in begin/end blocks.


 10-20-98 Fixed: SMV and VW can now find line numbers of assignments, type
declarations and module instances in verilog files.

 10-20-98 Fixed: vl2smv did not allow parameters in vector iterators (reported 9-9-98).

 10-20-98 Fixed: vl2smv did not allow bit ranges on paremeters (e.g.

	parameter [1:0] y = 2'd3;


 10-20-98 Fixed: History menu in VW did not work. (reported 8-20-98 )


 10-30-98 Fixed: When reopening after an error in SMV, sometimes
would incorrectly report scalarset mismatches.

 10-30-98 Fixed: Fixed keyboard shortcuts and traversal in vw

 10-30-98 Fixed: Vw did not set property when trace is selected


      
      Ken McMillan


Last modified: Fri Oct 11 18:05:32 PDT 2002