1 / 49

Symbolic Techniques for Model Checking and State Space Exploration

Symbolic Techniques for Model Checking and State Space Exploration. Fabio Somenzi. University of Colorado at Boulder. Outline. Characteristic functions and BDDs Symbolic Model Checking Image/preimage computation Fixpoint computation Cycle detection Don’t care conditions.

aholmes
Download Presentation

Symbolic Techniques for Model Checking and State Space Exploration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Symbolic Techniques for Model Checking andState Space Exploration Fabio Somenzi University of Colorado at Boulder

  2. Outline • Characteristic functions and BDDs • Symbolic Model Checking • Image/preimage computation • Fixpoint computation • Cycle detection • Don’t care conditions

  3. Symbolic Representation • Each set S is represented by its characteristic function, S : S  {0,1} • Algorithms avoid enumeration of individual members of the sets • Potentially very concise: x1 x100 represents 3298 elements; however… • For a given representation, most functions have exponential description: no free lunch • BDDs often used for characteristic functions

  4. Symbolic Representation • T(x1,x0,y1,y0) =x1  x0  y1  y0  x1  x0  y0 x1  x0  y0 • S0(x1,x0) = x1  x0 • p(x1,x0) = x0 • q(x1,x0) = x1  x0 q 00 01 p 10 p

  5. Binary Decision Diagrams • BDDs are reduced decision trees • For a given variable order BDDs are canonical • Most interesting operations on BDDs are linear in the size of each operand • BDDs use lots of memory • Variable order may have large impact • Plain, old BDDs still best for model checking [Yang et al., FMCAD’98]

  6. Operations on BDDs The most important for model checking: • Conjunction • Quantification • AndExists • Minimization (Constrain, Restrict, …) • Approximation, Decomposition, …

  7. Variable Ordering • There may be an exponential gap in size between a good order and a bad one • Dynamic variable ordering (DVO) often essential, but expensive • Good orders found with DVO are often saved to speed up subsequent runs • DVO is (almost) transparent to the application • Sifting is the most popular approach to DVO • MC issue: relative position of variable pairs

  8. Outline • Characteristic functions and BDDs • Symbolic Model Checking • Image/preimage computation • Fixpoint computation • Cycle detection • Don’t care conditions

  9. CTL* (Loosely Speaking) • Formulae are made up of atomic propositions (p, q, …) and operators •   • X: along this path  holds in the next state • U: along this path  holds until  holds • E: there is a path along which  holds • Legal formulae say something about the states of the model • Example: Ep U(q   Xp)

  10. Abbreviations and Extensions • F : trueU  • G  :  F   • A  :  E   • Past time operators: • X  Y, U  S, F  P, G  H • Example: Y  : along this path  held at the previous state

  11. How to Model Check EF and EG • The states satisfying EF and EG formulae are fixpoints of monotonic functions over 2S • EF =   EX EF • EG =   EX EG  • Specifically, EF is a least fixpoint and EG is a greatest fixpoint. This is written • EF =  Z .   EX Z • EG =  Z .   EX Z

  12. Computing EF and EG • Z = ; • =S; • While (Z ) { •  = Z; • Z =   EX Z; • } • Z = S; • = ; • While (Z ) { •  = Z; • Z =   EX Z; • }

  13. Translate into Büchi automaton Compose automaton with model Check composition for a fair path A fair path satisfies all acceptance conditions infinitely often Computation of fair paths Z . iEX[ EZ U(Z  ci)] How to Model Check EGF 

  14. CTL* Model Checking • We need to be able to • Translate formulae like EGF into automata • Compute fixpoints like •  Z .   EX Z •  Z .   EX Z •  Z . iEX[ EZ U(Z  ci)] • Reachability: •  Z . I  EY Z

  15. Outline • Characteristic functions and BDDs • Symbolic Model Checking • Image/preimage computation • Fixpoint computation • Cycle detection • Don’t care conditions

  16. EX: Preimage Computation •  y . [T(x,y)  Z(y)] is called preimage computation • The BDD for T is often too large • The transition relation is kept in partitioned form, e.g., • One term for each subcircuit/latch • One term for each asynchronous process

  17. EY: Image Computation •  x . [T(x,y)  Z(x)] is called image computation • It computes the set of successors to the states in Z(x) • The partitioned representation of the transition relation is also useful

  18. T for Synchronous Circuits T(x,w,y) = [y1 1(x,w)]  [y2 2(x,w)] …  [yn n(x,w)] … y1 y2 yn w1 1 2 n w2 … wm … xn x1 x2

  19. Adding Cut-Point Variables • Sometimes even the BDD for a single bit relation may be too large • We can add intermediate variables that are then quantified during image/preimage computation • We can add many intermediate variables and then let clustering get rid of those that are less useful

  20. Early Quantification •  v1 . g(v2)  f(v1,v2) = g(v2)   v1 . f(v1,v2) • If a variable to be existentially quantified appears in one conjunct only, it can be quantified before conjunction • Reduction in the support of the intermediate results often translates into smaller BDDs

  21. Ordering and Clustering • The parts of the transition are ordered in an attempt to heuristically reduce the sizes of the intermediate results • Ordering tries to keep the supports of the intermediate BDDs small • Introduce variables as late as possible • Quantify variables as early as possible • Clustering produces fewer parts so as to speed up the computation

  22. Quantify Conjunctions From Dependence Matrix • Dependence Matrix • m : number of functions • n : number of variables • dij = 1 : i-th function dependson j-th variable d1 d2 d3 dm • Average Variable Lifetimes •  : total lifetime (exit) •  : active lifetime (entry & exit)  = 1 j  n(m - lj + 1) = 1 j  n(hj - lj + 1)m  n m  n m n  = (2+3+3+1) / (4 x 4) = 9 / 16  = (4+4+3+1) / (4 x 4) = 12 / 16

  23. Active Variables Recursion never deeper than f  f g • In general, there is an advantage in having some variables only in one of the operands, as opposed to having them in both operands

  24. Example (s4863) MLP IWLS95 [RAB+95] ( = 0.38,  = 0.07) ( = 0.45,  = 0.20) Reachability : 2805 sec time-out

  25. Disjunctive Partitioning • If the transition relation is disjunctively decomposed, quantification distributes •  x . (f  g)  h  ( x . f  h)  ( x . g  h) • Disjunctive partitioning is natural for asynchronous systems • It can also be applied to difficult synchronous systems by splitting on the values of a variable • Splitting can be used to compute images and preimages without any conjunction

  26. Split Min Conjoin Max Hybrid Image Computation • At each node decide whether to split or conjoin • If splitting, choose a variable and recur • At each node with children disjoin their results

  27. Outline • Characteristic functions and BDDs • Symbolic Model Checking • Image/preimage computation • Fixpoint computation • Cycle detection • Don’t care conditions

  28. = function with small BDD such that YZ    YZ Using Frontiers for EU • Z = ; • =; • While ( ) { • Y =   EX ; •  = Y  Z; • Z = Z  ; • }

  29. Modified Fixpoint Computation • Fixpoint computations are normally BFS traversals • Problem • BDD size explosions in intermediate BDDs • Cause (sometimes) • BFS is inflexible in controlling BDD sizes

  30. Memory Limit Reachability Analysis of S1269 BDD nodes Iterations

  31. Mixed BFS/DFS • Mixed (BFS + DFS) state search • Can control the size of intermediate BDDs • More efficient than BFS in many cases • Techniques • High density traversal [RS95, RS99] • Partitioned traversal [CCQ96, NIJ+97] • Prioritized traversal [FKZ+00]

  32. Mixed BFS-DFS Search • BDD Approximations [RS95, RMSS98] • Density of f (f) = minterms(f) / nodes(f) • Redirect low-density branches to other nodes • BDD decomposition [CCQ96, NIJ+97, FKZ+00] • Balanced partitions • Splitting on variables

  33. Symbolic Guided Search • A hint is a (user-provided) predicate that restricts the transition relation • Hints can be used to produce mixed BFS-DFS search • BDDs for fixpoint iterates are kept small • For each hint a new fixpoint is computed using the result from the previous hint as starting point • To guarantee convergence, the last hint leaves the transition relation unchanged

  34. Approximate Model Checking Exact I I Sat() Sat() T,I | T,I | / Approximate I I Sat+() Sat-() T,I | T,I | /

  35. overapproximate underapproximate Y underapproximate AG EF p  Z AX  Y p EX Z

  36. Approximate Reachability • Model <T,I> is decomposed into submodels <Ti,Ii> such that • T  i Ti and I  i Ii • Each submodel depends on a few variables • Reachable states are given by iteration • Lj-1 = Ij • Lji = Lji-1 Img(Tj , k Lki-1) if j = (i) • Lji = Lji-1 otherwise

  37. Outline • Characteristic functions and BDDs • Symbolic Model Checking • Image/preimage computation • Fixpoint computation • Cycle detection • Don’t care conditions

  38. Fair Cycle Check if each SCC is fair Yes No Emptyset SCC hull (set of states that contain fair SCCs) Symbolic SCC enumeration Refinement Symbolic Fair Cycle Computations

  39. Generic SCC Hull Algorithm (GSH) • SCC hull: a set of states that contains all fair SCCs • Generalize EL:  Z . iEX[ EZ U(Z  ci)] • Operators • TB :EX(Z), {E(Z U Zci)} • TF : EY(Z), {E(Z S Zci)} • Algorithm: start with all states, at every iteration • choose and apply an operator from TBor TF (operator schedules) • converge when no change in state set under TB OR TF operators

  40. Symbolic SCC Enumeration • Find an SCC • pick a state v • compute the SCC of v as (EP(v)EF(v)) • Check if SCC is fair • Recur on the partitions

  41. Accepting SCC Strength p p p p strong weak terminal

  42. Emptiness Check • Algorithm based on property automaton • For terminal automata: EF fair • reachability analysis • For weak automata: EF EG fair • reachability and existence of cycle • For strong automata: EGfair true • reachability and existence of cycle through some fair states

  43. Outline • Characteristic functions and BDDs • Symbolic Model Checking • Image/preimage computation • Fixpoint computation • Cycle detection • Don’t care conditions

  44. Don’t Cares • Forward search can identify reachable states • Backward search can be restricted to reachable states • Or just some unreachable states may be excluded • The transition relation can be changed • Unreachable transitions can be redirected at will

  45. Don’t Cares 000 001 011 101 110 100 111 010 BDD: 18 nodes

  46. Don’t Cares 000 001 011 101 110 100 111 010 BDD: 13 nodes

  47. Forward Model Checking • A subset of CTL* can be model checked by using EY and not using EX • Example: for a model with initial state s0 • K, s0 EF translates into • EP s0  • Especially attractive for properties like • EG , where  does not hold in initial state • E  U, where  holds in very few states

  48. Equivalent Variables • Some state variables may have the same or complementary values on all reachable states • Idea (TiGeR): Instantiate a BDD variable for each equivalence class of variables (initially one) and then refine the partition as reachability progresses • Create the transition relation only in terms of the instantiated variables

  49. Credits Many thanks to • Roderick Bloem • In-Ho Moon • Kavita Ravi who are the authors of some of the slides

More Related