on partitioning and symbolic model checking fm 2005
Download
Skip this Video
Download Presentation
On Partitioning and Symbolic Model Checking FM 2005

Loading in 2 Seconds...

play fullscreen
1 / 39

On Partitioning and Symbolic Model Checking FM 2005 - PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on

On Partitioning and Symbolic Model Checking FM 2005. Subramanian Iyer, UT-Austin Debashis Sahoo, Stanford E. Allen Emerson, UT-Austin Jawahar Jain, Fujitsu Labs. Outline. Background The Partitioning Approach Model Checking The naïve algorithm An improved algorithm

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' On Partitioning and Symbolic Model Checking FM 2005' - janus


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
on partitioning and symbolic model checking fm 2005

On Partitioning and Symbolic Model CheckingFM 2005

Subramanian Iyer, UT-Austin

Debashis Sahoo, Stanford

E. Allen Emerson, UT-Austin

Jawahar Jain, Fujitsu Labs

outline
Outline
  • Background
  • The Partitioning Approach
  • Model Checking
    • The naïve algorithm
    • An improved algorithm
  • Experiments and Conclusion
outline1
Outline
  • Background
  • The Partitioning Approach
  • Model Checking
    • The naïve algorithm
    • An improved algorithm
  • Experiments and Conclusion
sequential verification
Sequential Verification
  • Does Implementation fullfil its Specification?
  • Model Checking:
    • State Based
    • Given: System under test
    • Prove: properties given in a temporal logic (eg: CTL, LTL)
  • Required for Model Checking:
    • Input Data : Transition relation
    • Generated : Reachable states, Forbidden states
    • Procedures : Boolean Operations, Image Computation
reachability analysis

S0

Reachability Analysis

Algorithm:

Simple property:

2n

From=Reached=S0

do{

To = Img(TR,From)

New = To \ Reached

Reached = Reached + To

From = New

}while(New  Ø )

  • C
  • D
model checking
Model Checking
  • Hinges on Reachability
    • Basic Operation: Pre-image
  • In Simple terms
    • Given “bad” formula f
    • Compute reachable states
    • Compute states satisfying f
    • Pass if intersection is empty
  • Key issues : State set generation and representation
    • Extensional, as originally proposed.
    • Symbolic, as now practiced
o rdered b inary d ecision d iagrams

x

y

y

z

z

1

0

OrderedBinary Decision Diagrams
  • BDDs with
    • read-once property
    • fixed Variable order
  • The restrictions guarantee:
    • Canonicity
    • efficient Algorithms for Boolean Operations, Tautology, SAT and Equivalence check
  • Disadvantage:
    • Blow-Up possible
  • The minimizing problem:
    • better BDD Types (?)
    • Transformations (?)
    • Variable- Reordering
      • Local Search: Sifting
symbolic model checking
Symbolic Model Checking
  • Using BDDs to represent sets of states
  • Key operation is image computation
    • Using transition relation
    • Necessary to succinctly represent the transition relation

What is the problem?

the bottleneck in verification
The Bottleneck in Verification

State-based verification, model checking

  • Can be fully automated in principle

Why not in practice?

  • State space representation
    • Symbolically manifests as “BDD blowup”
      • Limits extent of automation
      • Limits size of designs that can be handled
  • Capacity is restricted by representation size
    • Memory restricts time
    • BDD based tools – crash or thrash

So What can be done?

outline2
Outline
  • Background
  • The Partitioning Approach
  • Model Checking
    • The naïve algorithm
    • An improved algorithm
  • Experiments and Conclusion
partitioned transition relation
Partitioned Transition Relation
  • Represented as conjunction of k parts TRi
  • Easy to construct for synchronous circuits
  • Conjunction of “bitwise” TRi’s – the transition function of each state variable
    • Set of variables partitioned into k disjoint subsets
    • Transition functions for variables in each subset are conjuncted together to give TRi
    • TR is the implicit conjunction of TRi for i in 1 to k
partitioned tr cont d
Partitioned TR (Cont‘d)
  • Basis of reachable states computation:
  • Partitioned TR:

TRj

Cluster of ROBDDs

Monolithic ROBDD

image computation
Image Computation
  • The image computation step:
  • Partitioned TR useful due to early quantification (AndExist):
  • Choice and order of TRj’s is crucial for a good performance!

Img(TR,A)= $x( TR(x,y) A(x))

Img(TR,A)= $xn( TRn ...$x2( TR2 $x1( TR1 A)))...)

partitioned tr observations
Partitioned TR - Observations
  • What is it that is partitioned?
    • The set of variables
    • The relation
  • Actual TR is an implicit conjunction
  • Sets of states always ROBDD
    • During image computation
    • Before and After image computation
so what
So What?
  • Sets of states as ROBDDs
    • Can get very large
  • TR parts repeatedly conjuncted
    • During each image
    • Made easier combined with quantification
      • Still repeated expense
  • Solution: Partition all state-sets
partitioned robdd pobdd

f

^

^

^

^

f2

f4

f3

f1

Partitioned ROBDD (POBDD)

Given the Boolean Function

Xfis its partitioned-ROBDD representation if,

where

and

are ROBDDs with variable ordering pi, and,

w2

w1

Each wiis called a window function

Note that the ROBDDs in each partition may have a different variables ordering pi

w4

w3

a simple example
A simple example

f = c (a1b1 + a2b2) + c (a1a2 + b1b2 )

w1 = c

w2 = c

f1 = c (a1b1 + a2b2)

f2 = c (a1a2 + b1b2 )

f2

f1

c

c

a1

a1

a2

b1

b1

a2

b2

b2

1

1

0

0

2 : c, a1, a2, b1, b2

1 : c, a1, b1, a2, b2

on using partitioning
On Using Partitioning
  • Sets of states disjunctively partitioned
    • Key : Use same partitioning windows
    • In particular, set of reachable states
  • Induces disjunctive partitioning on TR
    • TR is a Relation on state pairs: Quadratic
  • Notice each such TRijcan further be
    • Monolithic, Disjunctive, or Conjunctive
  • Image computation
    • Must consider to and from set in each partition
reachability revisited
Reachability Revisited

Old Algorithm:

From=Reached=S0

do{

To = Img(TR,From)

New = To \ Reached

Reached += To

From = New

}while(New  Ø )

Notice that From is now partitioned

TR applied to Fromiof partition i,

result Toiis also partitioned

So Toijis owned by partition j

Must be given to j.

Quadratic such transfers!

image and reachability
Image and Reachability
  • Fix point computations performed
    • On each partition locally Using TRii
    • Use reachability algorithm on ROBDDs
  • Synchronization between partitions
    • Cross-over images finds states use TRij , .
    • Must keep it infrequent
    • Postponed till local fixpoint reached
reachability example initial set
Reachability Example: Initial set

w2

w1

I1(x)

I3(x)

w3

w4

Event Queue

1

3

local fix point

w2

w1

I1(x)

T11

I3(x)

w3

w4

Event Queue

3

Local Fix Point
cross over images

Event Queue

3

4

Cross-over images

w2

w1

T12

R1

T14

T13

I3(x)

w3

w4

another local fix point

w2

w1

R1

T33

I3(x)

w3

w4

Event Queue

4

Another Local Fix point
more cross over images

w2

w1

R1

T31

T32

T34

R3

w3

w4

Event Queue

4

2

1

More Cross over images
example cont

w2

w1

R1

T44

R3

w3

w4

Event Queue

1

2

Example, cont.
outline3
Outline
  • Background
  • The Partitioning Approach
  • Model Checking
    • The naïve algorithm
    • An improved algorithm
  • Experiments and Conclusion
ctl temporal properties
CTL : temporal properties
  • EX(f), E(fUg), EG(f) form a basis set
    • Invariant Checking AGp
    • Absence of Deadlock
      • Return to reset state AGEF(s0)
    • Temporal Implication AG(p  EF q)
    • Liveness EGp, AFp
outline4
Outline
  • Background
  • The Partitioning Approach
  • Model Checking
    • The naïve algorithm
    • An improved algorithm
  • Experiments and Conclusion
image computation exp
Image Computation EXp
  • forall (partitions j)
    • forall (partitions k)
      • PreImg_jk(s) = ∃s′,i[TRjk(s, s′, i) ∧ pk(s′)]
      • reorder BDD PreImgjk from part order k to j

end for

    • Sj = ∨k PreImgjk

end for

  • output S
least fix point e puq
Least Fix Point E(pUq)
  • S := q , S.old := NULL
  • repeat
    • S.old := S
    • temp := computeEX(S)
    • forall (partitions j)
      • Sj := qj ∨ (pj ∧ tempj)

end for

until(S = S.old)

  • output S
greatest fix point egp
Greatest Fix Point EGp
  • S := p
  • repeat
    • S.old := S
    • temp := computeEX(S)
    • forall (partitions j)
      • Sj := pj ∧ tempj

end for

until(S = S.old)

  • output S
what s the problem
What’s the problem?
  • Image computation has two parts
    • Transitions local to a partition (i=j)
    • Transitions Crossing over partitions (i<>j)
  • Cross-over images are expensive!
    • Get BDDs, maybe from disk
    • Store BDDs, maybe over network
    • Reorder large BDDs
  • The classical algorithm does one set of cross-over image during each EX.
outline5
Outline
  • Background
  • The Partitioning Approach
  • Model Checking
    • The naïve algorithm
    • An improved algorithm
  • Experiments and Conclusion
least fix point e puq1
Least Fix Point E(pUq)
  • S := q, S.old := NULL
  • repeat
    • S.old := S
    • forall (partitions j)
      • repeat
        • Sj .old := Sj
        • Sj := Sj ∨ (pj ∧ EXl(Sj , j)) … under-approximate

until(Sj = Sj .old)

end for

    • S := S ∨ (p ∧ EXc(S)) … add missing states

until(S = S.old)

  • output S
greatest fix point egp1
Greatest Fix Point EGp
  • S := p
  • Border := p ∧ EXc(S) … candidate set
  • repeat
    • S.old := S
    • forall (partitions j)
      • repeat
        • Sj .old := Sj
        • Sj := pj ∧ (EXl(Sj , j) ∨ Borderj) … over-approx
      • until(Sj == Sj .old)

end for

    • Border := p ∧EXc(S) … prune states

until(S == S.old)

  • output S
outline6
Outline
  • Background
  • The Partitioning Approach
  • Model Checking
    • The naïve algorithm
    • An improved algorithm
  • Experiments and Conclusion
conclusions
Conclusions

Assuming a model where cross-over images are very expensive, the proposed algorithm:

  • Is no worse than the classical algorithm
  • Converges faster, empirically, in terms of
    • Number of cross-over images
    • Time spent in cross-over images
  • Reduces total model checking time
    • Often quite significantly
  • Is good for parallel model checking
ad