1 / 28

Optimizing Symbolic Model Checking for Constraint-Rich Systems

Optimizing Symbolic Model Checking for Constraint-Rich Systems. Randal E. Bryant Bwolen Yang, Reid Simmons, David R. O’Hallaron Carnegie Mellon University. NASA’s Deep Space One (DS1) Spacecraft. fault diagnosis model qualitatively describes spacecraft’s behavior.

luce
Download Presentation

Optimizing Symbolic Model Checking for Constraint-Rich Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Optimizing Symbolic Model Checkingfor Constraint-Rich Systems Randal E. Bryant Bwolen Yang, Reid Simmons, David R. O’Hallaron Carnegie Mellon University

  2. NASA’s Deep Space One (DS1) Spacecraft fault diagnosis model qualitatively describes spacecraft’s behavior

  3. Livingstone Diagnostic Engine [William & Nayak ’96] consistent? Sensor Data Fault Diagnosis Model Autonomous SpacecraftNASA DS1’s Fault Diagnosis Model • Fault Diagnosis Model • component’s interconnections (thrusters, motors, valves…) • component’s state: mode (thruster’s force: low / nominal / high) • Also in Robot Explorer (Nomad: Antarctic meteorite explorer)

  4. Verification of DS1’s Fault Diagnosis Model[Simmons, CMU] • Automatically Translated to SMV Model Checker • state transition == component’s mode changes • time-invariant constraints • sensor values and modes • interconnection between components • automatic translation ==> little / no manual optimization • vs. models built from scratch by verification experts

  5. Verification of DS1’s Fault Diagnosis ModelChallenge • Failed due to Large Number of State Variables • 600-1200 state bits • model checker’s capacity: ~ a few hundred state bits • Observation • dominated by time-invariant constraints

  6. component 1 component 2 out in c: capacity of the pipe min(out, c) == in Time-Invariant ConstraintsExample 1 • Establish Interface “in” is redundant

  7. specialize bi-directional component 1 component 2 out in Time-Invariant ConstraintsExample 2 • Use of Generic Parts (both software / hardware) • specific use ==> constraints redundant components! e.g., valves always set to the same direction

  8. Time-Invariant ConstraintsObservation 1 (Example 1 + 2) • Many Unnecessary State Variables (macros) • Establish Interface in := min(out, c) • Specific Use of Generic Parts valve-direction := some constant (after inlining the module)

  9. Time-Invariant ConstraintsExample 3 • Indirection (based on the specification) transition relation next(bus.state) := complex expression f invariant constraints device1.output1 := switch (bus.state) … device1.output2 := switch (bus.state) …

  10. Time-Invariant ConstraintsExample 4 • Consistent Non-Deterministic Choices invariant constraint cmd := expression f with non-determinism (due to incomplete specification or abstraction) transition relations next(device1.output1) := switch (cmd) … next(device1.output2) := switch (cmd) …

  11. Time-Invariant ConstraintsObservation 2 (Example 3 + 4) • Variables w/ Constraints Used in Current State Only • Indirection device1.output1 := switch (bus.state) … device1.output2 := switch (bus.state) … • Consistent Non-Deterministic Choices cmd := expression f with non-determinism (due to incomplete specification or abstraction) • ==> • Corresponding Next-State BDD Variables NOT Used early quantification in pre-image computation • pre-image quantifies out next-state variables

  12. Time-Invariant ConstraintsExample 5 • Conditional Assignments (tank == non-empty) => (out-pressure.sign := positive) & (out-pressure.relative := nominal) • Note • occurs for interface and indirection • mostly simple (as above), but sometimes quite complicated • p1 => ((p2 => (a := …)) & (p3 => (b := …)) • most complicated expression has > 10,000 characters

  13. Time-Invariant ConstraintsObservation 3 (Example 5) • Combining Time-Invariant ==> Macros p1 => (a := …) p2 => (a := …) p3 => (a := …) … • ==> a := some deterministic expression complex expressions ==> syntactic analysis is insufficient

  14. Optimizations for Constraint-Rich Models • Time-Invariant Constraints • arise from modeling • may have lots of redundant state bits • Our Solutions • remove redundant state variables • identify macros: assignment-extraction algorithm • select macros: BDD characteristics • partition (conjunctive partitioning) remaining constraints • apply an improved version of [Ranjan et al. ’95] algorithm

  15. Related Work [Berthet, et al. ’90] [Lin & Newton ’91] [Hu & Dill ’93] [Eijk & Jess ’96] [Sentovich, et al. ’96] Problems require constraints to be combined first removal is not always beneficial Given invariant constraintc and state variable v, Question c ? v == g • if so, vis redundant • replacevwithg Redundant State-Variable RemovalProblem Statement

  16. ci v Gi Redundant State-Variable RemovalOur Approach: Assignment Extraction Algorithm non-deterministic assignment If Gi = { gi }, we have v == gi

  17. ? c1 c2 cn v G1 v G2 v Gn v == g Redundant State-Variable RemovalPartitioned Constraints use graph sizes to determine the “goodness” of g

  18. ci==> (vGi) ci |v=k==> (kGi) [substitute v with k] • Gi = U ( if ci|v=k then { k } else { } ) kKv Redundant State-Variable Removal Assignment Extraction Algorithm (Core Idea) • Target • To Construct a Solution for Gi for all k Kv whereKv is the set of possible values of v

  19. Conjunctive Partitioning of Time-Invariant Constraints • image(S) = $V. T  (S  C) • = $ (V - W ). T  [$W. (S  C) ] where T does not depend on variables in W. • many variables used only in time-invariant constraint • Represent C as Conjunctive Partition • C1 C2  …  Cm • monolithic BDD is too large to build

  20. Optimizations for Constraint-Rich ModelsOverall Impact time (sec)

  21. Performance Breakdown • BDD-Based Macro Optimization • Early-Quantification of W for $V. T  [$W. (S  C) ] without and with macro optimization

  22. Effects of BDD-Based Macro(No Early Quantification) time (sec)

  23. Effects of BDD-Based Macro: Causes % bdd vars removed

  24. Performance Breakdown • BDD-Based Macro Optimization • Early-Quantification of W for $V. T  [$W. (S  C) ] without and with macro optimization

  25. Effects of Early Quantification(No Macro Optimization) time (sec)

  26. Effects of Early Quantification: Causes(No Macro Optimization) Maximum achievable = 50% % bdd vars extracted

  27. Effects of Early Quantification (With Macro Optimization) time (sec)

  28. Summary & Future Work • Optimizations for Constraint-Rich Models • Enabled verification for DS1’s fault diagnosis model • 159 specs within 1 min • Typical of effort required to deal with models generated automatically from modular description • BDD Algorithms for Compiler-Type Analysis • Assignment-Extraction Algorithm • cone-of-influence analysis: exact dependence information

More Related