On Partitioning and Symbolic Model Checking FM 2005

1 / 39

On Partitioning and Symbolic Model Checking FM 2005 - PowerPoint PPT Presentation

On Partitioning and Symbolic Model Checking FM 2005. Subramanian Iyer, UT-Austin Debashis Sahoo, Stanford E. Allen Emerson, UT-Austin Jawahar Jain, Fujitsu Labs. Outline. Background The Partitioning Approach Model Checking The naïve algorithm An improved algorithm

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

PowerPoint Slideshow about ' On Partitioning and Symbolic Model Checking FM 2005' - janus

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

On Partitioning and Symbolic Model CheckingFM 2005

Subramanian Iyer, UT-Austin

Debashis Sahoo, Stanford

E. Allen Emerson, UT-Austin

Jawahar Jain, Fujitsu Labs

Outline
• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Experiments and Conclusion
Outline
• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Experiments and Conclusion
Sequential Verification
• Does Implementation fullfil its Specification?
• Model Checking:
• State Based
• Given: System under test
• Prove: properties given in a temporal logic (eg: CTL, LTL)
• Required for Model Checking:
• Input Data : Transition relation
• Generated : Reachable states, Forbidden states
• Procedures : Boolean Operations, Image Computation

S0

Reachability Analysis

Algorithm:

Simple property:

2n

From=Reached=S0

do{

To = Img(TR,From)

New = To \ Reached

Reached = Reached + To

From = New

}while(New  Ø )

• C
• D
Model Checking
• Hinges on Reachability
• Basic Operation: Pre-image
• In Simple terms
• Compute reachable states
• Compute states satisfying f
• Pass if intersection is empty
• Key issues : State set generation and representation
• Extensional, as originally proposed.
• Symbolic, as now practiced

x

y

y

z

z

1

0

OrderedBinary Decision Diagrams
• BDDs with
• fixed Variable order
• The restrictions guarantee:
• Canonicity
• efficient Algorithms for Boolean Operations, Tautology, SAT and Equivalence check
• Blow-Up possible
• The minimizing problem:
• better BDD Types (?)
• Transformations (?)
• Variable- Reordering
• Local Search: Sifting
Symbolic Model Checking
• Using BDDs to represent sets of states
• Key operation is image computation
• Using transition relation
• Necessary to succinctly represent the transition relation

What is the problem?

The Bottleneck in Verification

State-based verification, model checking

• Can be fully automated in principle

Why not in practice?

• State space representation
• Symbolically manifests as “BDD blowup”
• Limits extent of automation
• Limits size of designs that can be handled
• Capacity is restricted by representation size
• Memory restricts time
• BDD based tools – crash or thrash

So What can be done?

Outline
• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Experiments and Conclusion
Partitioned Transition Relation
• Represented as conjunction of k parts TRi
• Easy to construct for synchronous circuits
• Conjunction of “bitwise” TRi’s – the transition function of each state variable
• Set of variables partitioned into k disjoint subsets
• Transition functions for variables in each subset are conjuncted together to give TRi
• TR is the implicit conjunction of TRi for i in 1 to k
Partitioned TR (Cont‘d)
• Basis of reachable states computation:
• Partitioned TR:

TRj

Cluster of ROBDDs

Monolithic ROBDD

Image Computation
• The image computation step:
• Partitioned TR useful due to early quantification (AndExist):
• Choice and order of TRj’s is crucial for a good performance!

Img(TR,A)= \$x( TR(x,y) A(x))

Img(TR,A)= \$xn( TRn ...\$x2( TR2 \$x1( TR1 A)))...)

Partitioned TR - Observations
• What is it that is partitioned?
• The set of variables
• The relation
• Actual TR is an implicit conjunction
• Sets of states always ROBDD
• During image computation
• Before and After image computation
So What?
• Sets of states as ROBDDs
• Can get very large
• TR parts repeatedly conjuncted
• During each image
• Made easier combined with quantification
• Still repeated expense
• Solution: Partition all state-sets

f

^

^

^

^

f2

f4

f3

f1

Partitioned ROBDD (POBDD)

Given the Boolean Function

Xfis its partitioned-ROBDD representation if,

where

and

are ROBDDs with variable ordering pi, and,

w2

w1

Each wiis called a window function

Note that the ROBDDs in each partition may have a different variables ordering pi

w4

w3

A simple example

f = c (a1b1 + a2b2) + c (a1a2 + b1b2 )

w1 = c

w2 = c

f1 = c (a1b1 + a2b2)

f2 = c (a1a2 + b1b2 )

f2

f1

c

c

a1

a1

a2

b1

b1

a2

b2

b2

1

1

0

0

2 : c, a1, a2, b1, b2

1 : c, a1, b1, a2, b2

On Using Partitioning
• Sets of states disjunctively partitioned
• Key : Use same partitioning windows
• In particular, set of reachable states
• Induces disjunctive partitioning on TR
• TR is a Relation on state pairs: Quadratic
• Notice each such TRijcan further be
• Monolithic, Disjunctive, or Conjunctive
• Image computation
• Must consider to and from set in each partition
Reachability Revisited

Old Algorithm:

From=Reached=S0

do{

To = Img(TR,From)

New = To \ Reached

Reached += To

From = New

}while(New  Ø )

Notice that From is now partitioned

TR applied to Fromiof partition i,

result Toiis also partitioned

So Toijis owned by partition j

Must be given to j.

Image and Reachability
• Fix point computations performed
• On each partition locally Using TRii
• Use reachability algorithm on ROBDDs
• Synchronization between partitions
• Cross-over images finds states use TRij , .
• Must keep it infrequent
• Postponed till local fixpoint reached
Reachability Example: Initial set

w2

w1

I1(x)

I3(x)

w3

w4

Event Queue

1

3

w2

w1

I1(x)

T11

I3(x)

w3

w4

Event Queue

3

Local Fix Point

Event Queue

3

4

Cross-over images

w2

w1

T12

R1

T14

T13

I3(x)

w3

w4

w2

w1

R1

T33

I3(x)

w3

w4

Event Queue

4

Another Local Fix point

w2

w1

R1

T31

T32

T34

R3

w3

w4

Event Queue

4

2

1

More Cross over images

w2

w1

R1

T44

R3

w3

w4

Event Queue

1

2

Example, cont.
Outline
• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Experiments and Conclusion
CTL : temporal properties
• EX(f), E(fUg), EG(f) form a basis set
• Invariant Checking AGp
• Temporal Implication AG(p  EF q)
• Liveness EGp, AFp
Outline
• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Experiments and Conclusion
Image Computation EXp
• forall (partitions j)
• forall (partitions k)
• PreImg_jk(s) = ∃s′,i[TRjk(s, s′, i) ∧ pk(s′)]
• reorder BDD PreImgjk from part order k to j

end for

• Sj = ∨k PreImgjk

end for

• output S
Least Fix Point E(pUq)
• S := q , S.old := NULL
• repeat
• S.old := S
• temp := computeEX(S)
• forall (partitions j)
• Sj := qj ∨ (pj ∧ tempj)

end for

until(S = S.old)

• output S
Greatest Fix Point EGp
• S := p
• repeat
• S.old := S
• temp := computeEX(S)
• forall (partitions j)
• Sj := pj ∧ tempj

end for

until(S = S.old)

• output S
What’s the problem?
• Image computation has two parts
• Transitions local to a partition (i=j)
• Transitions Crossing over partitions (i<>j)
• Cross-over images are expensive!
• Get BDDs, maybe from disk
• Store BDDs, maybe over network
• Reorder large BDDs
• The classical algorithm does one set of cross-over image during each EX.
Outline
• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Experiments and Conclusion
Least Fix Point E(pUq)
• S := q, S.old := NULL
• repeat
• S.old := S
• forall (partitions j)
• repeat
• Sj .old := Sj
• Sj := Sj ∨ (pj ∧ EXl(Sj , j)) … under-approximate

until(Sj = Sj .old)

end for

• S := S ∨ (p ∧ EXc(S)) … add missing states

until(S = S.old)

• output S
Greatest Fix Point EGp
• S := p
• Border := p ∧ EXc(S) … candidate set
• repeat
• S.old := S
• forall (partitions j)
• repeat
• Sj .old := Sj
• Sj := pj ∧ (EXl(Sj , j) ∨ Borderj) … over-approx
• until(Sj == Sj .old)

end for

• Border := p ∧EXc(S) … prune states

until(S == S.old)

• output S
Outline
• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Experiments and Conclusion
Conclusions

Assuming a model where cross-over images are very expensive, the proposed algorithm:

• Is no worse than the classical algorithm
• Converges faster, empirically, in terms of
• Number of cross-over images
• Time spent in cross-over images
• Reduces total model checking time
• Often quite significantly
• Is good for parallel model checking