1 / 39

# On Partitioning and Symbolic Model Checking FM 2005 - PowerPoint PPT Presentation

On Partitioning and Symbolic Model Checking FM 2005. Subramanian Iyer, UT-Austin Debashis Sahoo, Stanford E. Allen Emerson, UT-Austin Jawahar Jain, Fujitsu Labs. Outline. Background The Partitioning Approach Model Checking The naïve algorithm An improved algorithm

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

## PowerPoint Slideshow about ' On Partitioning and Symbolic Model Checking FM 2005' - janus

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### On Partitioning and Symbolic Model CheckingFM 2005

Subramanian Iyer, UT-Austin

Debashis Sahoo, Stanford

E. Allen Emerson, UT-Austin

Jawahar Jain, Fujitsu Labs

• Background

• The Partitioning Approach

• Model Checking

• The naïve algorithm

• An improved algorithm

• Experiments and Conclusion

• Background

• The Partitioning Approach

• Model Checking

• The naïve algorithm

• An improved algorithm

• Experiments and Conclusion

• Does Implementation fullfil its Specification?

• Model Checking:

• State Based

• Given: System under test

• Prove: properties given in a temporal logic (eg: CTL, LTL)

• Required for Model Checking:

• Input Data : Transition relation

• Generated : Reachable states, Forbidden states

• Procedures : Boolean Operations, Image Computation

S0

Reachability Analysis

Algorithm:

Simple property:

2n

From=Reached=S0

do{

To = Img(TR,From)

New = To \ Reached

Reached = Reached + To

From = New

}while(New  Ø )

• C

• D

• Hinges on Reachability

• Basic Operation: Pre-image

• In Simple terms

• Given “bad” formula f

• Compute reachable states

• Compute states satisfying f

• Pass if intersection is empty

• Key issues : State set generation and representation

• Extensional, as originally proposed.

• Symbolic, as now practiced

y

y

z

z

1

0

OrderedBinary Decision Diagrams

• BDDs with

• read-once property

• fixed Variable order

• The restrictions guarantee:

• Canonicity

• efficient Algorithms for Boolean Operations, Tautology, SAT and Equivalence check

• Disadvantage:

• Blow-Up possible

• The minimizing problem:

• better BDD Types (?)

• Transformations (?)

• Variable- Reordering

• Local Search: Sifting

• Using BDDs to represent sets of states

• Key operation is image computation

• Using transition relation

• Necessary to succinctly represent the transition relation

What is the problem?

State-based verification, model checking

• Can be fully automated in principle

Why not in practice?

• State space representation

• Symbolically manifests as “BDD blowup”

• Limits extent of automation

• Limits size of designs that can be handled

• Capacity is restricted by representation size

• Memory restricts time

• BDD based tools – crash or thrash

So What can be done?

• Background

• The Partitioning Approach

• Model Checking

• The naïve algorithm

• An improved algorithm

• Experiments and Conclusion

Partitioned Transition Relation

• Represented as conjunction of k parts TRi

• Easy to construct for synchronous circuits

• Conjunction of “bitwise” TRi’s – the transition function of each state variable

• Set of variables partitioned into k disjoint subsets

• Transition functions for variables in each subset are conjuncted together to give TRi

• TR is the implicit conjunction of TRi for i in 1 to k

• Basis of reachable states computation:

• Partitioned TR:

TRj

Cluster of ROBDDs

Monolithic ROBDD

• The image computation step:

• Partitioned TR useful due to early quantification (AndExist):

• Choice and order of TRj’s is crucial for a good performance!

Img(TR,A)= \$x( TR(x,y) A(x))

Img(TR,A)= \$xn( TRn ...\$x2( TR2 \$x1( TR1 A)))...)

• What is it that is partitioned?

• The set of variables

• The relation

• Actual TR is an implicit conjunction

• Sets of states always ROBDD

• During image computation

• Before and After image computation

• Sets of states as ROBDDs

• Can get very large

• TR parts repeatedly conjuncted

• During each image

• Made easier combined with quantification

• Still repeated expense

• Solution: Partition all state-sets

^

^

^

^

f2

f4

f3

f1

Partitioned ROBDD (POBDD)

Given the Boolean Function

Xfis its partitioned-ROBDD representation if,

where

and

are ROBDDs with variable ordering pi, and,

w2

w1

Each wiis called a window function

Note that the ROBDDs in each partition may have a different variables ordering pi

w4

w3

f = c (a1b1 + a2b2) + c (a1a2 + b1b2 )

w1 = c

w2 = c

f1 = c (a1b1 + a2b2)

f2 = c (a1a2 + b1b2 )

f2

f1

c

c

a1

a1

a2

b1

b1

a2

b2

b2

1

1

0

0

2 : c, a1, a2, b1, b2

1 : c, a1, b1, a2, b2

• Sets of states disjunctively partitioned

• Key : Use same partitioning windows

• In particular, set of reachable states

• Induces disjunctive partitioning on TR

• TR is a Relation on state pairs: Quadratic

• Notice each such TRijcan further be

• Monolithic, Disjunctive, or Conjunctive

• Image computation

• Must consider to and from set in each partition

Old Algorithm:

From=Reached=S0

do{

To = Img(TR,From)

New = To \ Reached

Reached += To

From = New

}while(New  Ø )

Notice that From is now partitioned

TR applied to Fromiof partition i,

result Toiis also partitioned

So Toijis owned by partition j

Must be given to j.

Quadratic such transfers!

• Fix point computations performed

• On each partition locally Using TRii

• Use reachability algorithm on ROBDDs

• Synchronization between partitions

• Cross-over images finds states use TRij , .

• Must keep it infrequent

• Postponed till local fixpoint reached

w2

w1

I1(x)

I3(x)

w3

w4

Event Queue

1

3

w2

w1

I1(x)

T11

I3(x)

w3

w4

Event Queue

3

Local Fix Point

3

4

Cross-over images

w2

w1

T12

R1

T14

T13

I3(x)

w3

w4

w2

w1

R1

T33

I3(x)

w3

w4

Event Queue

4

Another Local Fix point

w2

w1

R1

T31

T32

T34

R3

w3

w4

Event Queue

4

2

1

More Cross over images

w2

w1

R1

T44

R3

w3

w4

Event Queue

1

2

Example, cont.

• Background

• The Partitioning Approach

• Model Checking

• The naïve algorithm

• An improved algorithm

• Experiments and Conclusion

• EX(f), E(fUg), EG(f) form a basis set

• Invariant Checking AGp

• Absence of Deadlock

• Return to reset state AGEF(s0)

• Temporal Implication AG(p  EF q)

• Liveness EGp, AFp

• Background

• The Partitioning Approach

• Model Checking

• The naïve algorithm

• An improved algorithm

• Experiments and Conclusion

• forall (partitions j)

• forall (partitions k)

• PreImg_jk(s) = ∃s′,i[TRjk(s, s′, i) ∧ pk(s′)]

• reorder BDD PreImgjk from part order k to j

end for

• Sj = ∨k PreImgjk

end for

• output S

• S := q , S.old := NULL

• repeat

• S.old := S

• temp := computeEX(S)

• forall (partitions j)

• Sj := qj ∨ (pj ∧ tempj)

end for

until(S = S.old)

• output S

• S := p

• repeat

• S.old := S

• temp := computeEX(S)

• forall (partitions j)

• Sj := pj ∧ tempj

end for

until(S = S.old)

• output S

• Image computation has two parts

• Transitions local to a partition (i=j)

• Transitions Crossing over partitions (i<>j)

• Cross-over images are expensive!

• Get BDDs, maybe from disk

• Store BDDs, maybe over network

• Reorder large BDDs

• The classical algorithm does one set of cross-over image during each EX.

• Background

• The Partitioning Approach

• Model Checking

• The naïve algorithm

• An improved algorithm

• Experiments and Conclusion

• S := q, S.old := NULL

• repeat

• S.old := S

• forall (partitions j)

• repeat

• Sj .old := Sj

• Sj := Sj ∨ (pj ∧ EXl(Sj , j)) … under-approximate

until(Sj = Sj .old)

end for

• S := S ∨ (p ∧ EXc(S)) … add missing states

until(S = S.old)

• output S

• S := p

• Border := p ∧ EXc(S) … candidate set

• repeat

• S.old := S

• forall (partitions j)

• repeat

• Sj .old := Sj

• Sj := pj ∧ (EXl(Sj , j) ∨ Borderj) … over-approx

• until(Sj == Sj .old)

end for

• Border := p ∧EXc(S) … prune states

until(S == S.old)

• output S

• Background

• The Partitioning Approach

• Model Checking

• The naïve algorithm

• An improved algorithm

• Experiments and Conclusion

Assuming a model where cross-over images are very expensive, the proposed algorithm:

• Is no worse than the classical algorithm

• Converges faster, empirically, in terms of

• Number of cross-over images

• Time spent in cross-over images

• Reduces total model checking time

• Often quite significantly

• Is good for parallel model checking