- By
**janus** - Follow User

- 107 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' On Partitioning and Symbolic Model Checking FM 2005' - janus

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### On Partitioning and Symbolic Model CheckingFM 2005

OutlineOutlineOutlineOutline

Subramanian Iyer, UT-Austin

Debashis Sahoo, Stanford

E. Allen Emerson, UT-Austin

Jawahar Jain, Fujitsu Labs

Outline

- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm
- Experiments and Conclusion

Outline

- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm
- Experiments and Conclusion

Sequential Verification

- Does Implementation fullfil its Specification?
- Model Checking:
- State Based
- Given: System under test
- Prove: properties given in a temporal logic (eg: CTL, LTL)
- Required for Model Checking:
- Input Data : Transition relation
- Generated : Reachable states, Forbidden states
- Procedures : Boolean Operations, Image Computation

Reachability Analysis

Algorithm:

Simple property:

2n

From=Reached=S0

do{

To = Img(TR,From)

New = To \ Reached

Reached = Reached + To

From = New

}while(New Ø )

- C

- D

Model Checking

- Hinges on Reachability
- Basic Operation: Pre-image
- In Simple terms
- Given “bad” formula f
- Compute reachable states
- Compute states satisfying f
- Pass if intersection is empty
- Key issues : State set generation and representation
- Extensional, as originally proposed.
- Symbolic, as now practiced

y

y

z

z

1

0

OrderedBinary Decision Diagrams- BDDs with
- read-once property
- fixed Variable order
- The restrictions guarantee:
- Canonicity
- efficient Algorithms for Boolean Operations, Tautology, SAT and Equivalence check
- Disadvantage:
- Blow-Up possible

- The minimizing problem:
- better BDD Types (?)
- Transformations (?)
- Variable- Reordering
- Local Search: Sifting

Symbolic Model Checking

- Using BDDs to represent sets of states
- Key operation is image computation
- Using transition relation
- Necessary to succinctly represent the transition relation

What is the problem?

The Bottleneck in Verification

State-based verification, model checking

- Can be fully automated in principle

Why not in practice?

- State space representation
- Symbolically manifests as “BDD blowup”
- Limits extent of automation
- Limits size of designs that can be handled
- Capacity is restricted by representation size
- Memory restricts time
- BDD based tools – crash or thrash

So What can be done?

Outline

- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm
- Experiments and Conclusion

Partitioned Transition Relation

- Represented as conjunction of k parts TRi
- Easy to construct for synchronous circuits
- Conjunction of “bitwise” TRi’s – the transition function of each state variable
- Set of variables partitioned into k disjoint subsets
- Transition functions for variables in each subset are conjuncted together to give TRi
- TR is the implicit conjunction of TRi for i in 1 to k

Partitioned TR (Cont‘d)

- Basis of reachable states computation:
- Partitioned TR:

TRj

Cluster of ROBDDs

Monolithic ROBDD

Image Computation

- The image computation step:
- Partitioned TR useful due to early quantification (AndExist):
- Choice and order of TRj’s is crucial for a good performance!

Img(TR,A)= $x( TR(x,y) A(x))

Img(TR,A)= $xn( TRn ...$x2( TR2 $x1( TR1 A)))...)

Partitioned TR - Observations

- What is it that is partitioned?
- The set of variables
- The relation
- Actual TR is an implicit conjunction
- Sets of states always ROBDD
- During image computation
- Before and After image computation

So What?

- Sets of states as ROBDDs
- Can get very large
- TR parts repeatedly conjuncted
- During each image
- Made easier combined with quantification
- Still repeated expense
- Solution: Partition all state-sets

^

^

^

^

f2

f4

f3

f1

Partitioned ROBDD (POBDD)Given the Boolean Function

Xfis its partitioned-ROBDD representation if,

where

and

are ROBDDs with variable ordering pi, and,

w2

w1

Each wiis called a window function

Note that the ROBDDs in each partition may have a different variables ordering pi

w4

w3

A simple example

f = c (a1b1 + a2b2) + c (a1a2 + b1b2 )

w1 = c

w2 = c

f1 = c (a1b1 + a2b2)

f2 = c (a1a2 + b1b2 )

f2

f1

c

c

a1

a1

a2

b1

b1

a2

b2

b2

1

1

0

0

2 : c, a1, a2, b1, b2

1 : c, a1, b1, a2, b2

On Using Partitioning

- Sets of states disjunctively partitioned
- Key : Use same partitioning windows
- In particular, set of reachable states
- Induces disjunctive partitioning on TR
- TR is a Relation on state pairs: Quadratic
- Notice each such TRijcan further be
- Monolithic, Disjunctive, or Conjunctive
- Image computation
- Must consider to and from set in each partition

Reachability Revisited

Old Algorithm:

From=Reached=S0

do{

To = Img(TR,From)

New = To \ Reached

Reached += To

From = New

}while(New Ø )

Notice that From is now partitioned

TR applied to Fromiof partition i,

result Toiis also partitioned

So Toijis owned by partition j

Must be given to j.

Quadratic such transfers!

Image and Reachability

- Fix point computations performed
- On each partition locally Using TRii
- Use reachability algorithm on ROBDDs
- Synchronization between partitions
- Cross-over images finds states use TRij , .
- Must keep it infrequent
- Postponed till local fixpoint reached

- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm
- Experiments and Conclusion

CTL : temporal properties

- EX(f), E(fUg), EG(f) form a basis set
- Invariant Checking AGp
- Absence of Deadlock
- Return to reset state AGEF(s0)
- Temporal Implication AG(p EF q)
- Liveness EGp, AFp

- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm
- Experiments and Conclusion

Image Computation EXp

- forall (partitions j)
- forall (partitions k)
- PreImg_jk(s) = ∃s′,i[TRjk(s, s′, i) ∧ pk(s′)]
- reorder BDD PreImgjk from part order k to j

end for

- Sj = ∨k PreImgjk

end for

- output S

Least Fix Point E(pUq)

- S := q , S.old := NULL
- repeat
- S.old := S
- temp := computeEX(S)
- forall (partitions j)
- Sj := qj ∨ (pj ∧ tempj)

end for

until(S = S.old)

- output S

Greatest Fix Point EGp

- S := p
- repeat
- S.old := S
- temp := computeEX(S)
- forall (partitions j)
- Sj := pj ∧ tempj

end for

until(S = S.old)

- output S

What’s the problem?

- Image computation has two parts
- Transitions local to a partition (i=j)
- Transitions Crossing over partitions (i<>j)
- Cross-over images are expensive!
- Get BDDs, maybe from disk
- Store BDDs, maybe over network
- Reorder large BDDs
- The classical algorithm does one set of cross-over image during each EX.

- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm
- Experiments and Conclusion

Least Fix Point E(pUq)

- S := q, S.old := NULL
- repeat
- S.old := S
- forall (partitions j)
- repeat
- Sj .old := Sj
- Sj := Sj ∨ (pj ∧ EXl(Sj , j)) … under-approximate

until(Sj = Sj .old)

end for

- S := S ∨ (p ∧ EXc(S)) … add missing states

until(S = S.old)

- output S

Greatest Fix Point EGp

- S := p
- Border := p ∧ EXc(S) … candidate set
- repeat
- S.old := S
- forall (partitions j)
- repeat
- Sj .old := Sj
- Sj := pj ∧ (EXl(Sj , j) ∨ Borderj) … over-approx
- until(Sj == Sj .old)

end for

- Border := p ∧EXc(S) … prune states

until(S == S.old)

- output S

- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm
- Experiments and Conclusion

Conclusions

Assuming a model where cross-over images are very expensive, the proposed algorithm:

- Is no worse than the classical algorithm
- Converges faster, empirically, in terms of
- Number of cross-over images
- Time spent in cross-over images
- Reduces total model checking time
- Often quite significantly
- Is good for parallel model checking

Download Presentation

Connecting to Server..