Exploration of Large State Spaces

Armando Tacchella Lab - Software EngineeringDIST – Università di Genova

ScenarioApplications

Formal verification Planning

Issues Is there a bug in the design? Is there a plan to reach the goal?

Formal verification Modulo 4 counter Bug: it is not possible

to reach s00 starting from s01 or s10

The bug can be discovered, e.g., by trying to reach s00

either from s01 or s10

00 01

1011

00 01

1011

00 01

10

Why formal verification?

Implementatio

n Bugs

Goof

Complexity

Logic/Microcode changeMicroarchitecture

Corner cases

Documentation Design mistake

Incorrect assertion

Random initialization

Late definition

Miscommunication

Power related

Presented at DAC2001 by: Bob Bentley, Intel Corp.

Planning Blocks world A block can be:

on top of another block on top of the table

Blocks can be moved from a source to a destination

The goal is to rebuild the tower upside-down

The plan is the sequence of moves to the goal

1

5

2

3 4

Common modelSet of states (configurations)Transitions between states Set of initial statesSet of final states Is there a path from some initial state to

some final state?Solving a reachability problem on a

graph

Reachability Graph representation

each node is a state each arc is a transition

One ore more sources (initial states)

One ore more targets (final states)

Reachability can be solved with standard graph algorithms

Optimization on the path length can be done using, e.g., Djikstra algorithm

Representing statesStates are encoded using vectors of

boolean variablesState variable x = { x1, ... ,xN } A state is an assignment of boolean

values {0,1} to a state variable State s = { v1, ... ,vN } where vi {0,1}

How large is the state space?2N states (and 22N transitions) at most In real sized problems N is easily >100How large is 2100? Consider that 2100ns ~ 3·1012yrClassical graph representations may not

be feasible in practice!

Symbolic encoding Use boolean formulas to encode:

Initial states I(x) Transitions T(x, x’) Final states F(x)

Given two states s,t I(s) = 1 exactly when s is an initial state T(s,t) = 1 exactly when there is a transition

between s and t F(s) = 1 exactly when s is a final state

A glimpse into Boolean logic...Every variable (x1, x2, ...) is a formula If F and G are formulas

F is a formula (negation of F) F+G (disjunction), F·G (conjunction),

FG (implication) are formulasConsider the following abbreviations:

k

k

ik

k

k

ik

FFF

FFF

00

00

k

k

FFF

F

0

0

Symbolic encoding (example)00 01

1011

000 001 010 011

100101110111

212

212

11

11

4

'

'

'

'

)',(

xxx

xxx

xx

xx

xxT

2123

3123

212

212

11

11

8

'

'

'

'

'

'

)',(

xxxx

xxxx

xxx

xxx

xx

xx

xxT

Counter modulo N 2N nodes TN O(N2) symbols

Bounded symbolic reachability Reaching a final state from an initial one with a path

of length at most k (nodes)

If R(s1, ... ,sk)=1 then the sequence s1, ... ,sk has the following properties (i {1, ... ,k}): I(s1)=1 T(si,si+1)=1 for all si F(si)=1 for some si

k

ii

k

iiik xFxxTxIxxR

1

1

11,11 )()()(),,(

Symbolic reachability (example)

3

112

2

1

)1(212

)1(212

)1(11

)1(11

1121321 )(),,(i

iii

iii

iii

ii

ii

xx

xxx

xxx

xx

xx

xxxxxR

212

212

11

11

'

''

'

)',(

xxx

xxxxx

xx

xxT

00 01

1011

Modulo 4 counter (bugged)

12

12

)(

)(

xxxF

xxxI

10

00

Initial state s10, final state s00

R(x1,x2,x3) = 0 for all values of x1,x2,x3 s00 is unreachable from s10

Solving symbolic reachabilitySymbolic encondings enable handling

of large state spacesBounded symbolic reachability amounts

to finding s1, ... ,sk s.t. R(s1, ... ,sk)=1Decide whether the boolean formula R

is satisfiable or not (a.k.a. SAT problem)There is no free lunch: SAT is NP-hard! Is this a limitation?

A glimpse into complexity... Two resources: TIME (omitted) and SPACE P = polynomial, EXP = exponential N = non-deterministic co = complement of

NP co-NP

PPSPACEEXP

Bounded symbolic reachability and SAT Symbolic reachability and Q-SAT

Reachability

Solving SAT: preliminaries Formulas in Conjunctive Normal Form:

The formula is a set (conjunction) of clauses Each clause is a set (disjunction) of literals A literal is a variable or the negation of a variable

Given any formula F it is always possible to produce F’ in CNF s.t. F’ is satisfiable exactly when F is satisfiable and |F’|=poly(|F|)

C

i

L

jij

C

i

L

jij

ii

ll0 00 0

}{

Formulas and CNF (example)

212

212

11

11

'

'

'

'

xxx

xxx

xx

xx

212

212

11

11

')(

')(

''

xxx

xxx

xxxx

212

212

11

11

'

'

''

xxx

xxx

xxxx

}',,{

},',,{

},',{},',{

212

212

11

11

xxx

xxx

xxxx

T4(x,x’) xy x+y (x·y) x+y T4(x,x’) in CNF

Solving SAT: search algorithmSearch(F)

Simplify(F)if F= return 1if F return 0l ChooseLiteral(F)if Search(F{l}) then return 1else return Search(F{-l})

Simplify(F)while l : {l}F do for each CF : lC F = F/{C} for each CF : -lC F = F/{C}{C/{-l}}end

Search process (example)}}',,{},',,{},',{},',{{ 2122121111 xxxxxxxxxx

}}{},',,{

},',,{},',{},',{{

1212

2121111

xxxx

xxxxxxx

}}',{},',{},'{{ 22221 xxxxx

}}',{},',{{ 2222 xxxx

}}{},',{},',{{ 22222 xxxxx

}}'{{ 2x

1x returns ralChooseLite

11 'xx derives and reduces Simplify

2x returns ralChooseLite

22 'xx derives and reduces Simplify

{}00 to 11 from transition the is which

withesatisfiabl is formula The 2121 ',',, xxxx

Solving SAT: in practiceThe performance of the search

algorithm critically depends on the particular ChooseLiteral heuristic the amount of simplification performed the smartness of the backtracking schema

No silver bullet, but state-of-the-art SAT solvers can solve industrial scale problems with thousands of variables!

Research issues Bounded symbolic reachability via SAT

performs very well on bug-finding when the error trace is short, or the diameter of the search space is small

Nevertheless since there can be up to 2N states, it may not be

feasible for general symbolic reachability, and it can become impractical even for error traces of

reasonable lengths

Research issues (ctd.) Tools for reasoning with boolean formulas

are routinely used in reasearch and industry reach good performance and capacity standards

Nevertheless most of them is special purpose (disposable code) they are difficult (if not impossible) to integrate into

existing systems most often they are unsupported, undocumented,

not robust enough for time/safety/money-critical applications

Lab core research Encodings for (bounded) symbolic reachability

exploiting quantified Boolean formulas compact and (possibly) effective, but challenging: solving Q-SAT is PSPACE-hard!

A toolkit for reasoning with Boolean formulas handles quantified Boolean formulas features a component-based architecture Integrates several services, e.g., enumeration of

assignments, logic minimization, … is reasonably efficient w.r.t. special purpose tools

Formal verification projects FIRB: Knowledge Level Automated Software

Engineering ( ends in 2005) PRIN: Advanced Reasoning Systems for the

representation and Formal Verification of Complex Systems (ends in 2004)

INTEL: SAT Solvers for Symbolic Model Checking and Formal Verification (2001-2003)

Planning projects ASI-DOVES: Enabling On-board Autonomy: A

platform for the Development of Verified Software (ends in 2004)

ASI-SACSO: Safety Critical Software for planning space robotics (ends in 2004)

ASI-GMES: Un Sistema Innovativo per la gestione di Costellazioni di Satelliti e la sua Applicazione alla Tutela Ambientale (proposta)

RoboCare: Sistema multi-agente con componenti fisse e robotiche mobili intelligenti (fine nel 2005)

FIRB

Knowledge LevelAutomated Software

Engineering

4 Milioni di Euro

DIT Università di Trento

DISUniversità “La Sapienza”

Delisa-Delta DatorTrento

DIST Università di Genova

IRST Istituto Trentino di Cultura

FIRB (objectives) A Knowledge Level Automated Software

Engineering methodology, A requirement actor and goal oriented

framework Theories and techniques for the code analysis A concept demonstrator prototype, integrating

the developed techniques The application of the prototype to a case

study

FIRB (activities) Development of a methodology based on the

goal/actors paradigm Automated Reasoning for validation and

verification of software (QBF, BMC, SAT...) Automated Planning for software development

automation Natural language processing for documentation

analysis Analysis and Testing of systems based on the

goal/actors paradigm

Lab activies on FIRBDevelopment of a planning language for

the goal/actor frameworkStudy and development of planning

techniques based on SATStudy and development of planning

techniques based on QBFDevelopment of a Tool for formal

verification

Ricerca tesisti per FIRB Buone conoscenze di :

Informatica di base (algoritmi e strutture dati) Linguaggi C/C++ standard Lingua Inglese

Disponibiltà: A lavorare sodo in un team giovane e in crescita A trascorrere periodi a Trento durante la tesi Ad iniziare la tesi a Settembre/Ottobre 2003

Programma: Formazione iniziale a Genova durante la tesi Completemento attività presso ITC/IRST di Trento con

contratto di collaborazione annuale