On partitioning and symbolic model checking fm 2005
Download
1 / 39

On Partitioning and Symbolic Model Checking FM 2005 - PowerPoint PPT Presentation


  • 106 Views
  • Uploaded on

On Partitioning and Symbolic Model Checking FM 2005. Subramanian Iyer, UT-Austin Debashis Sahoo, Stanford E. Allen Emerson, UT-Austin Jawahar Jain, Fujitsu Labs. Outline. Background The Partitioning Approach Model Checking The naïve algorithm An improved algorithm

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' On Partitioning and Symbolic Model Checking FM 2005' - janus


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
On partitioning and symbolic model checking fm 2005

On Partitioning and Symbolic Model CheckingFM 2005

Subramanian Iyer, UT-Austin

Debashis Sahoo, Stanford

E. Allen Emerson, UT-Austin

Jawahar Jain, Fujitsu Labs


Outline
Outline

  • Background

  • The Partitioning Approach

  • Model Checking

    • The naïve algorithm

    • An improved algorithm

  • Experiments and Conclusion


Outline1
Outline

  • Background

  • The Partitioning Approach

  • Model Checking

    • The naïve algorithm

    • An improved algorithm

  • Experiments and Conclusion


Sequential verification
Sequential Verification

  • Does Implementation fullfil its Specification?

  • Model Checking:

    • State Based

    • Given: System under test

    • Prove: properties given in a temporal logic (eg: CTL, LTL)

  • Required for Model Checking:

    • Input Data : Transition relation

    • Generated : Reachable states, Forbidden states

    • Procedures : Boolean Operations, Image Computation


Reachability analysis

S0

Reachability Analysis

Algorithm:

Simple property:

2n

From=Reached=S0

do{

To = Img(TR,From)

New = To \ Reached

Reached = Reached + To

From = New

}while(New  Ø )

  • C

  • D


Model checking
Model Checking

  • Hinges on Reachability

    • Basic Operation: Pre-image

  • In Simple terms

    • Given “bad” formula f

    • Compute reachable states

    • Compute states satisfying f

    • Pass if intersection is empty

  • Key issues : State set generation and representation

    • Extensional, as originally proposed.

    • Symbolic, as now practiced


O rdered b inary d ecision d iagrams

x

y

y

z

z

1

0

OrderedBinary Decision Diagrams

  • BDDs with

    • read-once property

    • fixed Variable order

  • The restrictions guarantee:

    • Canonicity

    • efficient Algorithms for Boolean Operations, Tautology, SAT and Equivalence check

  • Disadvantage:

    • Blow-Up possible

  • The minimizing problem:

    • better BDD Types (?)

    • Transformations (?)

    • Variable- Reordering

      • Local Search: Sifting


Symbolic model checking
Symbolic Model Checking

  • Using BDDs to represent sets of states

  • Key operation is image computation

    • Using transition relation

    • Necessary to succinctly represent the transition relation

      What is the problem?


The bottleneck in verification
The Bottleneck in Verification

State-based verification, model checking

  • Can be fully automated in principle

    Why not in practice?

  • State space representation

    • Symbolically manifests as “BDD blowup”

      • Limits extent of automation

      • Limits size of designs that can be handled

  • Capacity is restricted by representation size

    • Memory restricts time

    • BDD based tools – crash or thrash

      So What can be done?


Outline2
Outline

  • Background

  • The Partitioning Approach

  • Model Checking

    • The naïve algorithm

    • An improved algorithm

  • Experiments and Conclusion


Partitioned transition relation
Partitioned Transition Relation

  • Represented as conjunction of k parts TRi

  • Easy to construct for synchronous circuits

  • Conjunction of “bitwise” TRi’s – the transition function of each state variable

    • Set of variables partitioned into k disjoint subsets

    • Transition functions for variables in each subset are conjuncted together to give TRi

    • TR is the implicit conjunction of TRi for i in 1 to k


Partitioned tr cont d
Partitioned TR (Cont‘d)

  • Basis of reachable states computation:

  • Partitioned TR:

TRj

Cluster of ROBDDs

Monolithic ROBDD


Image computation
Image Computation

  • The image computation step:

  • Partitioned TR useful due to early quantification (AndExist):

  • Choice and order of TRj’s is crucial for a good performance!

Img(TR,A)= $x( TR(x,y) A(x))

Img(TR,A)= $xn( TRn ...$x2( TR2 $x1( TR1 A)))...)


Partitioned tr observations
Partitioned TR - Observations

  • What is it that is partitioned?

    • The set of variables

    • The relation

  • Actual TR is an implicit conjunction

  • Sets of states always ROBDD

    • During image computation

    • Before and After image computation


So what
So What?

  • Sets of states as ROBDDs

    • Can get very large

  • TR parts repeatedly conjuncted

    • During each image

    • Made easier combined with quantification

      • Still repeated expense

  • Solution: Partition all state-sets


Partitioned robdd pobdd

f

^

^

^

^

f2

f4

f3

f1

Partitioned ROBDD (POBDD)

Given the Boolean Function

Xfis its partitioned-ROBDD representation if,

where

and

are ROBDDs with variable ordering pi, and,

w2

w1

Each wiis called a window function

Note that the ROBDDs in each partition may have a different variables ordering pi

w4

w3


A simple example
A simple example

f = c (a1b1 + a2b2) + c (a1a2 + b1b2 )

w1 = c

w2 = c

f1 = c (a1b1 + a2b2)

f2 = c (a1a2 + b1b2 )

f2

f1

c

c

a1

a1

a2

b1

b1

a2

b2

b2

1

1

0

0

2 : c, a1, a2, b1, b2

1 : c, a1, b1, a2, b2


On using partitioning
On Using Partitioning

  • Sets of states disjunctively partitioned

    • Key : Use same partitioning windows

    • In particular, set of reachable states

  • Induces disjunctive partitioning on TR

    • TR is a Relation on state pairs: Quadratic

  • Notice each such TRijcan further be

    • Monolithic, Disjunctive, or Conjunctive

  • Image computation

    • Must consider to and from set in each partition


Reachability revisited
Reachability Revisited

Old Algorithm:

From=Reached=S0

do{

To = Img(TR,From)

New = To \ Reached

Reached += To

From = New

}while(New  Ø )

Notice that From is now partitioned

TR applied to Fromiof partition i,

result Toiis also partitioned

So Toijis owned by partition j

Must be given to j.

Quadratic such transfers!


Image and reachability
Image and Reachability

  • Fix point computations performed

    • On each partition locally Using TRii

    • Use reachability algorithm on ROBDDs

  • Synchronization between partitions

    • Cross-over images finds states use TRij , .

    • Must keep it infrequent

    • Postponed till local fixpoint reached


Reachability example initial set
Reachability Example: Initial set

w2

w1

I1(x)

I3(x)

w3

w4

Event Queue

1

3


Local fix point

w2

w1

I1(x)

T11

I3(x)

w3

w4

Event Queue

3

Local Fix Point


Cross over images

Event Queue

3

4

Cross-over images

w2

w1

T12

R1

T14

T13

I3(x)

w3

w4


Another local fix point

w2

w1

R1

T33

I3(x)

w3

w4

Event Queue

4

Another Local Fix point


More cross over images

w2

w1

R1

T31

T32

T34

R3

w3

w4

Event Queue

4

2

1

More Cross over images


Example cont

w2

w1

R1

T44

R3

w3

w4

Event Queue

1

2

Example, cont.


Outline3
Outline

  • Background

  • The Partitioning Approach

  • Model Checking

    • The naïve algorithm

    • An improved algorithm

  • Experiments and Conclusion


Ctl temporal properties
CTL : temporal properties

  • EX(f), E(fUg), EG(f) form a basis set

    • Invariant Checking AGp

    • Absence of Deadlock

      • Return to reset state AGEF(s0)

    • Temporal Implication AG(p  EF q)

    • Liveness EGp, AFp


Outline4
Outline

  • Background

  • The Partitioning Approach

  • Model Checking

    • The naïve algorithm

    • An improved algorithm

  • Experiments and Conclusion


Image computation exp
Image Computation EXp

  • forall (partitions j)

    • forall (partitions k)

      • PreImg_jk(s) = ∃s′,i[TRjk(s, s′, i) ∧ pk(s′)]

      • reorder BDD PreImgjk from part order k to j

        end for

    • Sj = ∨k PreImgjk

      end for

  • output S


Least fix point e puq
Least Fix Point E(pUq)

  • S := q , S.old := NULL

  • repeat

    • S.old := S

    • temp := computeEX(S)

    • forall (partitions j)

      • Sj := qj ∨ (pj ∧ tempj)

        end for

        until(S = S.old)

  • output S


Greatest fix point egp
Greatest Fix Point EGp

  • S := p

  • repeat

    • S.old := S

    • temp := computeEX(S)

    • forall (partitions j)

      • Sj := pj ∧ tempj

        end for

        until(S = S.old)

  • output S


What s the problem
What’s the problem?

  • Image computation has two parts

    • Transitions local to a partition (i=j)

    • Transitions Crossing over partitions (i<>j)

  • Cross-over images are expensive!

    • Get BDDs, maybe from disk

    • Store BDDs, maybe over network

    • Reorder large BDDs

  • The classical algorithm does one set of cross-over image during each EX.


Outline5
Outline

  • Background

  • The Partitioning Approach

  • Model Checking

    • The naïve algorithm

    • An improved algorithm

  • Experiments and Conclusion


Least fix point e puq1
Least Fix Point E(pUq)

  • S := q, S.old := NULL

  • repeat

    • S.old := S

    • forall (partitions j)

      • repeat

        • Sj .old := Sj

        • Sj := Sj ∨ (pj ∧ EXl(Sj , j)) … under-approximate

          until(Sj = Sj .old)

          end for

    • S := S ∨ (p ∧ EXc(S)) … add missing states

      until(S = S.old)

  • output S


Greatest fix point egp1
Greatest Fix Point EGp

  • S := p

  • Border := p ∧ EXc(S) … candidate set

  • repeat

    • S.old := S

    • forall (partitions j)

      • repeat

        • Sj .old := Sj

        • Sj := pj ∧ (EXl(Sj , j) ∨ Borderj) … over-approx

      • until(Sj == Sj .old)

        end for

    • Border := p ∧EXc(S) … prune states

      until(S == S.old)

  • output S


Outline6
Outline

  • Background

  • The Partitioning Approach

  • Model Checking

    • The naïve algorithm

    • An improved algorithm

  • Experiments and Conclusion



Conclusions
Conclusions

Assuming a model where cross-over images are very expensive, the proposed algorithm:

  • Is no worse than the classical algorithm

  • Converges faster, empirically, in terms of

    • Number of cross-over images

    • Time spent in cross-over images

  • Reduces total model checking time

    • Often quite significantly

  • Is good for parallel model checking


ad