On partitioning and symbolic model checking fm 2005
Download
1 / 39

On Partitioning and Symbolic Model Checking FM 2005 - PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on

On Partitioning and Symbolic Model Checking FM 2005. Subramanian Iyer, UT-Austin Debashis Sahoo, Stanford E. Allen Emerson, UT-Austin Jawahar Jain, Fujitsu Labs. Outline. Background The Partitioning Approach Model Checking The naïve algorithm An improved algorithm

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'On Partitioning and Symbolic Model Checking FM 2005' - janus


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
On partitioning and symbolic model checking fm 2005

On Partitioning and Symbolic Model CheckingFM 2005

Subramanian Iyer, UT-Austin

Debashis Sahoo, Stanford

E. Allen Emerson, UT-Austin

Jawahar Jain, Fujitsu Labs


Outline
Outline

  • Background

  • The Partitioning Approach

  • Model Checking

    • The naïve algorithm

    • An improved algorithm

  • Experiments and Conclusion


Outline1
Outline

  • Background

  • The Partitioning Approach

  • Model Checking

    • The naïve algorithm

    • An improved algorithm

  • Experiments and Conclusion


Sequential verification
Sequential Verification

  • Does Implementation fullfil its Specification?

  • Model Checking:

    • State Based

    • Given: System under test

    • Prove: properties given in a temporal logic (eg: CTL, LTL)

  • Required for Model Checking:

    • Input Data : Transition relation

    • Generated : Reachable states, Forbidden states

    • Procedures : Boolean Operations, Image Computation


Reachability analysis

S0

Reachability Analysis

Algorithm:

Simple property:

2n

From=Reached=S0

do{

To = Img(TR,From)

New = To \ Reached

Reached = Reached + To

From = New

}while(New  Ø )

  • C

  • D


Model checking
Model Checking

  • Hinges on Reachability

    • Basic Operation: Pre-image

  • In Simple terms

    • Given “bad” formula f

    • Compute reachable states

    • Compute states satisfying f

    • Pass if intersection is empty

  • Key issues : State set generation and representation

    • Extensional, as originally proposed.

    • Symbolic, as now practiced


O rdered b inary d ecision d iagrams

x

y

y

z

z

1

0

OrderedBinary Decision Diagrams

  • BDDs with

    • read-once property

    • fixed Variable order

  • The restrictions guarantee:

    • Canonicity

    • efficient Algorithms for Boolean Operations, Tautology, SAT and Equivalence check

  • Disadvantage:

    • Blow-Up possible

  • The minimizing problem:

    • better BDD Types (?)

    • Transformations (?)

    • Variable- Reordering

      • Local Search: Sifting


Symbolic model checking
Symbolic Model Checking

  • Using BDDs to represent sets of states

  • Key operation is image computation

    • Using transition relation

    • Necessary to succinctly represent the transition relation

      What is the problem?


The bottleneck in verification
The Bottleneck in Verification

State-based verification, model checking

  • Can be fully automated in principle

    Why not in practice?

  • State space representation

    • Symbolically manifests as “BDD blowup”

      • Limits extent of automation

      • Limits size of designs that can be handled

  • Capacity is restricted by representation size

    • Memory restricts time

    • BDD based tools – crash or thrash

      So What can be done?


Outline2
Outline

  • Background

  • The Partitioning Approach

  • Model Checking

    • The naïve algorithm

    • An improved algorithm

  • Experiments and Conclusion


Partitioned transition relation
Partitioned Transition Relation

  • Represented as conjunction of k parts TRi

  • Easy to construct for synchronous circuits

  • Conjunction of “bitwise” TRi’s – the transition function of each state variable

    • Set of variables partitioned into k disjoint subsets

    • Transition functions for variables in each subset are conjuncted together to give TRi

    • TR is the implicit conjunction of TRi for i in 1 to k


Partitioned tr cont d
Partitioned TR (Cont‘d)

  • Basis of reachable states computation:

  • Partitioned TR:

TRj

Cluster of ROBDDs

Monolithic ROBDD


Image computation
Image Computation

  • The image computation step:

  • Partitioned TR useful due to early quantification (AndExist):

  • Choice and order of TRj’s is crucial for a good performance!

Img(TR,A)= $x( TR(x,y) A(x))

Img(TR,A)= $xn( TRn ...$x2( TR2 $x1( TR1 A)))...)


Partitioned tr observations
Partitioned TR - Observations

  • What is it that is partitioned?

    • The set of variables

    • The relation

  • Actual TR is an implicit conjunction

  • Sets of states always ROBDD

    • During image computation

    • Before and After image computation


So what
So What?

  • Sets of states as ROBDDs

    • Can get very large

  • TR parts repeatedly conjuncted

    • During each image

    • Made easier combined with quantification

      • Still repeated expense

  • Solution: Partition all state-sets


Partitioned robdd pobdd

f

^

^

^

^

f2

f4

f3

f1

Partitioned ROBDD (POBDD)

Given the Boolean Function

Xfis its partitioned-ROBDD representation if,

where

and

are ROBDDs with variable ordering pi, and,

w2

w1

Each wiis called a window function

Note that the ROBDDs in each partition may have a different variables ordering pi

w4

w3


A simple example
A simple example

f = c (a1b1 + a2b2) + c (a1a2 + b1b2 )

w1 = c

w2 = c

f1 = c (a1b1 + a2b2)

f2 = c (a1a2 + b1b2 )

f2

f1

c

c

a1

a1

a2

b1

b1

a2

b2

b2

1

1

0

0

2 : c, a1, a2, b1, b2

1 : c, a1, b1, a2, b2


On using partitioning
On Using Partitioning

  • Sets of states disjunctively partitioned

    • Key : Use same partitioning windows

    • In particular, set of reachable states

  • Induces disjunctive partitioning on TR

    • TR is a Relation on state pairs: Quadratic

  • Notice each such TRijcan further be

    • Monolithic, Disjunctive, or Conjunctive

  • Image computation

    • Must consider to and from set in each partition


Reachability revisited
Reachability Revisited

Old Algorithm:

From=Reached=S0

do{

To = Img(TR,From)

New = To \ Reached

Reached += To

From = New

}while(New  Ø )

Notice that From is now partitioned

TR applied to Fromiof partition i,

result Toiis also partitioned

So Toijis owned by partition j

Must be given to j.

Quadratic such transfers!


Image and reachability
Image and Reachability

  • Fix point computations performed

    • On each partition locally Using TRii

    • Use reachability algorithm on ROBDDs

  • Synchronization between partitions

    • Cross-over images finds states use TRij , .

    • Must keep it infrequent

    • Postponed till local fixpoint reached


Reachability example initial set
Reachability Example: Initial set

w2

w1

I1(x)

I3(x)

w3

w4

Event Queue

1

3


Local fix point

w2

w1

I1(x)

T11

I3(x)

w3

w4

Event Queue

3

Local Fix Point


Cross over images

Event Queue

3

4

Cross-over images

w2

w1

T12

R1

T14

T13

I3(x)

w3

w4


Another local fix point

w2

w1

R1

T33

I3(x)

w3

w4

Event Queue

4

Another Local Fix point


More cross over images

w2

w1

R1

T31

T32

T34

R3

w3

w4

Event Queue

4

2

1

More Cross over images


Example cont

w2

w1

R1

T44

R3

w3

w4

Event Queue

1

2

Example, cont.


Outline3
Outline

  • Background

  • The Partitioning Approach

  • Model Checking

    • The naïve algorithm

    • An improved algorithm

  • Experiments and Conclusion


Ctl temporal properties
CTL : temporal properties

  • EX(f), E(fUg), EG(f) form a basis set

    • Invariant Checking AGp

    • Absence of Deadlock

      • Return to reset state AGEF(s0)

    • Temporal Implication AG(p  EF q)

    • Liveness EGp, AFp


Outline4
Outline

  • Background

  • The Partitioning Approach

  • Model Checking

    • The naïve algorithm

    • An improved algorithm

  • Experiments and Conclusion


Image computation exp
Image Computation EXp

  • forall (partitions j)

    • forall (partitions k)

      • PreImg_jk(s) = ∃s′,i[TRjk(s, s′, i) ∧ pk(s′)]

      • reorder BDD PreImgjk from part order k to j

        end for

    • Sj = ∨k PreImgjk

      end for

  • output S


Least fix point e puq
Least Fix Point E(pUq)

  • S := q , S.old := NULL

  • repeat

    • S.old := S

    • temp := computeEX(S)

    • forall (partitions j)

      • Sj := qj ∨ (pj ∧ tempj)

        end for

        until(S = S.old)

  • output S


Greatest fix point egp
Greatest Fix Point EGp

  • S := p

  • repeat

    • S.old := S

    • temp := computeEX(S)

    • forall (partitions j)

      • Sj := pj ∧ tempj

        end for

        until(S = S.old)

  • output S


What s the problem
What’s the problem?

  • Image computation has two parts

    • Transitions local to a partition (i=j)

    • Transitions Crossing over partitions (i<>j)

  • Cross-over images are expensive!

    • Get BDDs, maybe from disk

    • Store BDDs, maybe over network

    • Reorder large BDDs

  • The classical algorithm does one set of cross-over image during each EX.


Outline5
Outline

  • Background

  • The Partitioning Approach

  • Model Checking

    • The naïve algorithm

    • An improved algorithm

  • Experiments and Conclusion


Least fix point e puq1
Least Fix Point E(pUq)

  • S := q, S.old := NULL

  • repeat

    • S.old := S

    • forall (partitions j)

      • repeat

        • Sj .old := Sj

        • Sj := Sj ∨ (pj ∧ EXl(Sj , j)) … under-approximate

          until(Sj = Sj .old)

          end for

    • S := S ∨ (p ∧ EXc(S)) … add missing states

      until(S = S.old)

  • output S


Greatest fix point egp1
Greatest Fix Point EGp

  • S := p

  • Border := p ∧ EXc(S) … candidate set

  • repeat

    • S.old := S

    • forall (partitions j)

      • repeat

        • Sj .old := Sj

        • Sj := pj ∧ (EXl(Sj , j) ∨ Borderj) … over-approx

      • until(Sj == Sj .old)

        end for

    • Border := p ∧EXc(S) … prune states

      until(S == S.old)

  • output S


Outline6
Outline

  • Background

  • The Partitioning Approach

  • Model Checking

    • The naïve algorithm

    • An improved algorithm

  • Experiments and Conclusion



Conclusions
Conclusions

Assuming a model where cross-over images are very expensive, the proposed algorithm:

  • Is no worse than the classical algorithm

  • Converges faster, empirically, in terms of

    • Number of cross-over images

    • Time spent in cross-over images

  • Reduces total model checking time

    • Often quite significantly

  • Is good for parallel model checking