Loading in 5 sec....

On Partitioning and Symbolic Model Checking FM 2005PowerPoint Presentation

On Partitioning and Symbolic Model Checking FM 2005

- By
**janus** - Follow User

- 106 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' On Partitioning and Symbolic Model Checking FM 2005' - janus

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### On Partitioning and Symbolic Model CheckingFM 2005

Outline

Outline

Outline

Outline

Subramanian Iyer, UT-Austin

Debashis Sahoo, Stanford

E. Allen Emerson, UT-Austin

Jawahar Jain, Fujitsu Labs

Outline

- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm

- Experiments and Conclusion

Outline

- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm

- Experiments and Conclusion

Sequential Verification

- Does Implementation fullfil its Specification?
- Model Checking:
- State Based
- Given: System under test
- Prove: properties given in a temporal logic (eg: CTL, LTL)

- Required for Model Checking:
- Input Data : Transition relation
- Generated : Reachable states, Forbidden states
- Procedures : Boolean Operations, Image Computation

S0

Reachability AnalysisAlgorithm:

Simple property:

2n

From=Reached=S0

do{

To = Img(TR,From)

New = To \ Reached

Reached = Reached + To

From = New

}while(New Ø )

- C

- D

Model Checking

- Hinges on Reachability
- Basic Operation: Pre-image

- In Simple terms
- Given “bad” formula f
- Compute reachable states
- Compute states satisfying f
- Pass if intersection is empty

- Key issues : State set generation and representation
- Extensional, as originally proposed.
- Symbolic, as now practiced

y

y

z

z

1

0

OrderedBinary Decision Diagrams- BDDs with
- read-once property
- fixed Variable order

- The restrictions guarantee:
- Canonicity
- efficient Algorithms for Boolean Operations, Tautology, SAT and Equivalence check

- Disadvantage:
- Blow-Up possible

- The minimizing problem:
- better BDD Types (?)
- Transformations (?)
- Variable- Reordering
- Local Search: Sifting

Symbolic Model Checking

- Using BDDs to represent sets of states
- Key operation is image computation
- Using transition relation
- Necessary to succinctly represent the transition relation
What is the problem?

The Bottleneck in Verification

State-based verification, model checking

- Can be fully automated in principle
Why not in practice?

- State space representation
- Symbolically manifests as “BDD blowup”
- Limits extent of automation
- Limits size of designs that can be handled

- Symbolically manifests as “BDD blowup”
- Capacity is restricted by representation size
- Memory restricts time
- BDD based tools – crash or thrash
So What can be done?

Outline

- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm

- Experiments and Conclusion

Partitioned Transition Relation

- Represented as conjunction of k parts TRi
- Easy to construct for synchronous circuits
- Conjunction of “bitwise” TRi’s – the transition function of each state variable
- Set of variables partitioned into k disjoint subsets
- Transition functions for variables in each subset are conjuncted together to give TRi
- TR is the implicit conjunction of TRi for i in 1 to k

Partitioned TR (Cont‘d)

- Basis of reachable states computation:
- Partitioned TR:

TRj

Cluster of ROBDDs

Monolithic ROBDD

Image Computation

- The image computation step:
- Partitioned TR useful due to early quantification (AndExist):
- Choice and order of TRj’s is crucial for a good performance!

Img(TR,A)= $x( TR(x,y) A(x))

Img(TR,A)= $xn( TRn ...$x2( TR2 $x1( TR1 A)))...)

Partitioned TR - Observations

- What is it that is partitioned?
- The set of variables
- The relation

- Actual TR is an implicit conjunction
- Sets of states always ROBDD
- During image computation
- Before and After image computation

So What?

- Sets of states as ROBDDs
- Can get very large

- TR parts repeatedly conjuncted
- During each image
- Made easier combined with quantification
- Still repeated expense

- Solution: Partition all state-sets

^

^

^

^

f2

f4

f3

f1

Partitioned ROBDD (POBDD)Given the Boolean Function

Xfis its partitioned-ROBDD representation if,

where

and

are ROBDDs with variable ordering pi, and,

w2

w1

Each wiis called a window function

Note that the ROBDDs in each partition may have a different variables ordering pi

w4

w3

A simple example

f = c (a1b1 + a2b2) + c (a1a2 + b1b2 )

w1 = c

w2 = c

f1 = c (a1b1 + a2b2)

f2 = c (a1a2 + b1b2 )

f2

f1

c

c

a1

a1

a2

b1

b1

a2

b2

b2

1

1

0

0

2 : c, a1, a2, b1, b2

1 : c, a1, b1, a2, b2

On Using Partitioning

- Sets of states disjunctively partitioned
- Key : Use same partitioning windows
- In particular, set of reachable states

- Induces disjunctive partitioning on TR
- TR is a Relation on state pairs: Quadratic

- Notice each such TRijcan further be
- Monolithic, Disjunctive, or Conjunctive

- Image computation
- Must consider to and from set in each partition

Reachability Revisited

Old Algorithm:

From=Reached=S0

do{

To = Img(TR,From)

New = To \ Reached

Reached += To

From = New

}while(New Ø )

Notice that From is now partitioned

TR applied to Fromiof partition i,

result Toiis also partitioned

So Toijis owned by partition j

Must be given to j.

Quadratic such transfers!

Image and Reachability

- Fix point computations performed
- On each partition locally Using TRii
- Use reachability algorithm on ROBDDs

- Synchronization between partitions
- Cross-over images finds states use TRij , .
- Must keep it infrequent
- Postponed till local fixpoint reached

- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm

- Experiments and Conclusion

CTL : temporal properties

- EX(f), E(fUg), EG(f) form a basis set
- Invariant Checking AGp
- Absence of Deadlock
- Return to reset state AGEF(s0)

- Temporal Implication AG(p EF q)
- Liveness EGp, AFp

- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm

- Experiments and Conclusion

Image Computation EXp

- forall (partitions j)
- forall (partitions k)
- PreImg_jk(s) = ∃s′,i[TRjk(s, s′, i) ∧ pk(s′)]
- reorder BDD PreImgjk from part order k to j
end for

- Sj = ∨k PreImgjk
end for

- forall (partitions k)
- output S

Least Fix Point E(pUq)

- S := q , S.old := NULL
- repeat
- S.old := S
- temp := computeEX(S)
- forall (partitions j)
- Sj := qj ∨ (pj ∧ tempj)
end for

until(S = S.old)

- Sj := qj ∨ (pj ∧ tempj)

- output S

Greatest Fix Point EGp

- S := p
- repeat
- S.old := S
- temp := computeEX(S)
- forall (partitions j)
- Sj := pj ∧ tempj
end for

until(S = S.old)

- Sj := pj ∧ tempj

- output S

What’s the problem?

- Image computation has two parts
- Transitions local to a partition (i=j)
- Transitions Crossing over partitions (i<>j)

- Cross-over images are expensive!
- Get BDDs, maybe from disk
- Store BDDs, maybe over network
- Reorder large BDDs

- The classical algorithm does one set of cross-over image during each EX.

- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm

- Experiments and Conclusion

Least Fix Point E(pUq)

- S := q, S.old := NULL
- repeat
- S.old := S
- forall (partitions j)
- repeat
- Sj .old := Sj
- Sj := Sj ∨ (pj ∧ EXl(Sj , j)) … under-approximate
until(Sj = Sj .old)

end for

- repeat
- S := S ∨ (p ∧ EXc(S)) … add missing states
until(S = S.old)

- output S

Greatest Fix Point EGp

- S := p
- Border := p ∧ EXc(S) … candidate set
- repeat
- S.old := S
- forall (partitions j)
- repeat
- Sj .old := Sj
- Sj := pj ∧ (EXl(Sj , j) ∨ Borderj) … over-approx

- until(Sj == Sj .old)
end for

- repeat
- Border := p ∧EXc(S) … prune states
until(S == S.old)

- output S

- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm

- Experiments and Conclusion

Conclusions

Assuming a model where cross-over images are very expensive, the proposed algorithm:

- Is no worse than the classical algorithm
- Converges faster, empirically, in terms of
- Number of cross-over images
- Time spent in cross-over images

- Reduces total model checking time
- Often quite significantly

- Is good for parallel model checking

Download Presentation

Connecting to Server..