Post on 08-Feb-2016
description
Exploration of Large State Spaces
Armando Tacchella Lab - Software EngineeringDIST – Università di Genova
ScenarioApplications
Formal verification Planning
Issues Is there a bug in the design? Is there a plan to reach the goal?
Formal verification Modulo 4 counter Bug: it is not possible
to reach s00 starting from s01 or s10
The bug can be discovered, e.g., by trying to reach s00
either from s01 or s10
00 01
1011
00 01
1011
00 01
10
Why formal verification?
Implementatio
n Bugs
Goof
Complexity
Logic/Microcode changeMicroarchitecture
Corner cases
Documentation Design mistake
Incorrect assertion
Random initialization
Late definition
Miscommunication
Power related
Presented at DAC2001 by: Bob Bentley, Intel Corp.
Planning Blocks world A block can be:
on top of another block on top of the table
Blocks can be moved from a source to a destination
The goal is to rebuild the tower upside-down
The plan is the sequence of moves to the goal
1
5
2
3 4
Common modelSet of states (configurations)Transitions between states Set of initial statesSet of final states Is there a path from some initial state to
some final state?Solving a reachability problem on a
graph
Reachability Graph representation
each node is a state each arc is a transition
One ore more sources (initial states)
One ore more targets (final states)
Reachability can be solved with standard graph algorithms
Optimization on the path length can be done using, e.g., Djikstra algorithm
Representing statesStates are encoded using vectors of
boolean variablesState variable x = { x1, ... ,xN } A state is an assignment of boolean
values {0,1} to a state variable State s = { v1, ... ,vN } where vi {0,1}
How large is the state space?2N states (and 22N transitions) at most In real sized problems N is easily >100How large is 2100? Consider that 2100ns ~ 3·1012yrClassical graph representations may not
be feasible in practice!
Symbolic encoding Use boolean formulas to encode:
Initial states I(x) Transitions T(x, x’) Final states F(x)
Given two states s,t I(s) = 1 exactly when s is an initial state T(s,t) = 1 exactly when there is a transition
between s and t F(s) = 1 exactly when s is a final state
A glimpse into Boolean logic...Every variable (x1, x2, ...) is a formula If F and G are formulas
F is a formula (negation of F) F+G (disjunction), F·G (conjunction),
FG (implication) are formulasConsider the following abbreviations:
k
k
ik
k
k
ik
FFF
FFF
00
00
k
k
FFF
F
0
0
Symbolic encoding (example)00 01
1011
000 001 010 011
100101110111
212
212
11
11
4
'
'
'
'
)',(
xxx
xxx
xx
xx
xxT
2123
3123
212
212
11
11
8
'
'
'
'
'
'
)',(
xxxx
xxxx
xxx
xxx
xx
xx
xxT
Counter modulo N 2N nodes TN O(N2) symbols
Bounded symbolic reachability Reaching a final state from an initial one with a path
of length at most k (nodes)
If R(s1, ... ,sk)=1 then the sequence s1, ... ,sk has the following properties (i {1, ... ,k}): I(s1)=1 T(si,si+1)=1 for all si F(si)=1 for some si
k
ii
k
iiik xFxxTxIxxR
1
1
11,11 )()()(),,(
Symbolic reachability (example)
3
112
2
1
)1(212
)1(212
)1(11
)1(11
1121321 )(),,(i
iii
iii
iii
ii
ii
xx
xxx
xxx
xx
xx
xxxxxR
212
212
11
11
'
''
'
)',(
xxx
xxxxx
xx
xxT
00 01
1011
Modulo 4 counter (bugged)
12
12
)(
)(
xxxF
xxxI
10
00
Initial state s10, final state s00
R(x1,x2,x3) = 0 for all values of x1,x2,x3 s00 is unreachable from s10
Solving symbolic reachabilitySymbolic encondings enable handling
of large state spacesBounded symbolic reachability amounts
to finding s1, ... ,sk s.t. R(s1, ... ,sk)=1Decide whether the boolean formula R
is satisfiable or not (a.k.a. SAT problem)There is no free lunch: SAT is NP-hard! Is this a limitation?
A glimpse into complexity... Two resources: TIME (omitted) and SPACE P = polynomial, EXP = exponential N = non-deterministic co = complement of
NP co-NP
PPSPACEEXP
Bounded symbolic reachability and SAT Symbolic reachability and Q-SAT
Reachability
Solving SAT: preliminaries Formulas in Conjunctive Normal Form:
The formula is a set (conjunction) of clauses Each clause is a set (disjunction) of literals A literal is a variable or the negation of a variable
Given any formula F it is always possible to produce F’ in CNF s.t. F’ is satisfiable exactly when F is satisfiable and |F’|=poly(|F|)
C
i
L
jij
C
i
L
jij
ii
ll0 00 0
}{
Formulas and CNF (example)
212
212
11
11
'
'
'
'
xxx
xxx
xx
xx
212
212
11
11
')(
')(
''
xxx
xxx
xxxx
212
212
11
11
'
'
''
xxx
xxx
xxxx
}',,{
},',,{
},',{},',{
212
212
11
11
xxx
xxx
xxxx
T4(x,x’) xy x+y (x·y) x+y T4(x,x’) in CNF
Solving SAT: search algorithmSearch(F)
Simplify(F)if F= return 1if F return 0l ChooseLiteral(F)if Search(F{l}) then return 1else return Search(F{-l})
Simplify(F)while l : {l}F do for each CF : lC F = F/{C} for each CF : -lC F = F/{C}{C/{-l}}end
Search process (example)}}',,{},',,{},',{},',{{ 2122121111 xxxxxxxxxx
}}{},',,{
},',,{},',{},',{{
1212
2121111
xxxx
xxxxxxx
}}',{},',{},'{{ 22221 xxxxx
}}',{},',{{ 2222 xxxx
}}{},',{},',{{ 22222 xxxxx
}}'{{ 2x
1x returns ralChooseLite
11 'xx derives and reduces Simplify
2x returns ralChooseLite
22 'xx derives and reduces Simplify
{}00 to 11 from transition the is which
withesatisfiabl is formula The 2121 ',',, xxxx
Solving SAT: in practiceThe performance of the search
algorithm critically depends on the particular ChooseLiteral heuristic the amount of simplification performed the smartness of the backtracking schema
No silver bullet, but state-of-the-art SAT solvers can solve industrial scale problems with thousands of variables!
Research issues Bounded symbolic reachability via SAT
performs very well on bug-finding when the error trace is short, or the diameter of the search space is small
Nevertheless since there can be up to 2N states, it may not be
feasible for general symbolic reachability, and it can become impractical even for error traces of
reasonable lengths
Research issues (ctd.) Tools for reasoning with boolean formulas
are routinely used in reasearch and industry reach good performance and capacity standards
Nevertheless most of them is special purpose (disposable code) they are difficult (if not impossible) to integrate into
existing systems most often they are unsupported, undocumented,
not robust enough for time/safety/money-critical applications
Lab core research Encodings for (bounded) symbolic reachability
exploiting quantified Boolean formulas compact and (possibly) effective, but challenging: solving Q-SAT is PSPACE-hard!
A toolkit for reasoning with Boolean formulas handles quantified Boolean formulas features a component-based architecture Integrates several services, e.g., enumeration of
assignments, logic minimization, … is reasonably efficient w.r.t. special purpose tools
Formal verification projects FIRB: Knowledge Level Automated Software
Engineering ( ends in 2005) PRIN: Advanced Reasoning Systems for the
representation and Formal Verification of Complex Systems (ends in 2004)
INTEL: SAT Solvers for Symbolic Model Checking and Formal Verification (2001-2003)
Planning projects ASI-DOVES: Enabling On-board Autonomy: A
platform for the Development of Verified Software (ends in 2004)
ASI-SACSO: Safety Critical Software for planning space robotics (ends in 2004)
ASI-GMES: Un Sistema Innovativo per la gestione di Costellazioni di Satelliti e la sua Applicazione alla Tutela Ambientale (proposta)
RoboCare: Sistema multi-agente con componenti fisse e robotiche mobili intelligenti (fine nel 2005)
FIRB
Knowledge LevelAutomated Software
Engineering
4 Milioni di Euro
DIT Università di Trento
DISUniversità “La Sapienza”
Delisa-Delta DatorTrento
DIST Università di Genova
IRST Istituto Trentino di Cultura
FIRB (objectives) A Knowledge Level Automated Software
Engineering methodology, A requirement actor and goal oriented
framework Theories and techniques for the code analysis A concept demonstrator prototype, integrating
the developed techniques The application of the prototype to a case
study
FIRB (activities) Development of a methodology based on the
goal/actors paradigm Automated Reasoning for validation and
verification of software (QBF, BMC, SAT...) Automated Planning for software development
automation Natural language processing for documentation
analysis Analysis and Testing of systems based on the
goal/actors paradigm
Lab activies on FIRBDevelopment of a planning language for
the goal/actor frameworkStudy and development of planning
techniques based on SATStudy and development of planning
techniques based on QBFDevelopment of a Tool for formal
verification
Ricerca tesisti per FIRB Buone conoscenze di :
Informatica di base (algoritmi e strutture dati) Linguaggi C/C++ standard Lingua Inglese
Disponibiltà: A lavorare sodo in un team giovane e in crescita A trascorrere periodi a Trento durante la tesi Ad iniziare la tesi a Settembre/Ottobre 2003
Programma: Formazione iniziale a Genova durante la tesi Completemento attività presso ITC/IRST di Trento con
contratto di collaborazione annuale