1 / 19

Image Computation Methods: Splitting vs. Conjoining in Symbolic Model Checking

Explore the comparison between Transition Relation and Transition Function Methods in image computation for formal verification, highlighting the benefits and drawbacks of each approach and proposing a hybrid method. The discussion includes the impacts on model checking and the potential for combining the strengths of both techniques. Experimental results and conclusions are presented to validate the effectiveness of the hybrid approach in reaching conclusions efficiently.

laird
Download Presentation

Image Computation Methods: Splitting vs. Conjoining in Symbolic Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. To Split or to Conjoin:The Question in Image Computation 1 {mooni, fabio}@colorado.eduUniversity of Colorado at Boulder 2 kukula@synopsys.comSynopsys Inc. 3 kravi@cadence.comCadence Inc. In-Ho Moon1, James Kukula2Kavita Ravi3, Fabio Somenzi1

  2. Outline • Introduction • Image Computation Methods • Transition Relation Method • Transition Function Method • Transition Relation vs. Function Methods • Hybrid Image Computation • Experimental Results • Conclusions

  3. Introduction • Model Checking • The most widely used method in formal verification • Does the system (implementation) satisfy the property (specification)? • State space explosion • BDD explosion in symbolic model checking • The explosion occurs mostly in intermediate BDDs during conjunctions in image/preimage computations. • Image/Preimage Computations • Finding all successor/predecessor states from the given states at once, respectively • The key steps in symbolic model checking

  4. Contribution Symbolic Reachability Analysis Model Checking Image/Preimage Computations BDD Operations

  5. Image Computation • Two approaches • Transition Relation Method [ICCAD90, DAC91] • Conjunctions • Transition Function Method [IFIP89, ICCAD90] • Recursive splitting • Transition relation method is superior to transition function method in most cases • In some cases, transition function method is more efficient than transition relation method. • Especially, in most cases of approximate reachability analysis. • Questions • Why is that? • What if we combine the two methods?

  6. Transition Relation Method • Image Computation • Img(T(x,w,y), C(x)) =  x,w. ( Ti(x,w,y)  C(x)) • Preimage Computation • Pre(T(x,w,y), C(y)) =  y,w. ( Ti(x,w,y)  C(y)) • Early Quantification • u. ( f(u, v)  g(v) ) = ( u. f(u, v) ) g(v) • Img(T, C) =  v1. (T1  ···   vk. (Tk  C)) 1  i  k 1  i  k

  7. Transition Function Method • Image Computation [IFIP89, ICCAD90] • Input Splitting • Output Splitting • Preimage Computation • Simultaneous Substitution [CAV91] • Sequential Substitution [PhD92] • Domain Cofactoring [ICCAD98]

  8. Transition Function Method (Cont’d) • Input Splitting • Img(f(x,w), C(x)) = Img(fv, Cv) + Img(fv’, Cv’) • f = (f1, …, fm) : function vector • v : splitting variable (x or w) • Occurs most frequently in the supports [Cho96] • Constant Functions • Img((f1=1, …, fm), C) = y1 Img((f2, …, fm), C) • Img((f1=0, …, fm), C) = y1’  Img((f2, …, fm), C) • Terminal Cases • Img(f, 0) = 0 • Img(|f|1, C) = 1 where f is non-constant & C  0 • From the implementation point of view, we don’t need y variables in the transition function method.

  9. Transition Function Method (Cont’d) • Domain Cofactoring • Pre(f, C) = v • Pre(fv, C) + v’ • Pre(fv’, C) • v : splitting variable (x) • Constant Functions • Pre((f1=1, …, fm), C) = Pre((f2, …, fm), Cy1) • Pre((f1=0, …, fm), C) = Pre((f2, …, fm), Cy1’) • Terminal Cases • Pre(f, 1) = 1 • Pre(f, 0) = 0 • Pre(|f|=0, C) = C • Optimization • Drop fj if yj  support(C(y))

  10. Transition Relation vs. Function Methods • Transition Function Methods • Based on splitting • Needs one set of state variables • Good : takes much less memory in most cases • Bad : may have too many recursive calls • Transition Relation Methods • Based on conjunction • Needs two sets of state variables • Good : much faster in most cases • Bad : intermediate BDDs may grow very large Question : Can we combine the merits of both methods?

  11. Hybrid Image Computation Split Split Conjoin Conjoin Dynamic Hybrid Static Hybrid

  12. Dependence Matrix Quantify Conjunction • Average Variable Lifetime  = 1 j  n(m - ij + 1) m  n From • Dependence Matrix • m : the number of functions • n : the number of variables • dij = 1 : i-th function depends on j-th variable d1 d2 d3 dm m n  = (4+4+3+1) / (4 x 4) = 12 / 16 = 0.75

  13. Examples (32-bit rotator & multiplier) Good quantification schedule May be easy for conjunctions No good quantification schedule Needs splitting

  14. Example (hw_top & one submachine) • Explains why splitting is better than conjunction in approximate reachability.

  15. To Split or to Conjoin • Variable lifetime  • Conjoin if   0.5 +  • Split otherwise • Min/Max decision depth • Min : splitting may help for even small  • Max : to avoid too deep recursions • Decide only between min and max depth

  16. Experimental Results - 1 • Time in Reachability Analysis

  17. Experimental Results - 2 • Time in Approximate Reachability Analysis

  18. Experimental Results - 3 • Time in Model Checking • Without Reachability Analysis

  19. Conclusions • We have presented a hybrid image method • Combining the conjunction and splitting approaches • Dynamic decision whether to split or to conjoin based on variable lifetime from the dependence matrix • Much more robust than either pure method • The analysis of dependence matrix explains why splitting is better than conjunction in approximate reachability • Future Work • Improve decision strategy • Analyze why the results for preimage were not as good as those for image

More Related