Symbolic execution based model checking of open systems with unbounded variables
On Partitioning and Symbolic Model Checking FM 2005
description
Transcript of On Partitioning and Symbolic Model Checking FM 2005
![Page 1: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/1.jpg)
On Partitioning and Symbolic Model Checking
FM 2005
Subramanian Iyer, UT-AustinDebashis Sahoo, Stanford
E. Allen Emerson, UT-AustinJawahar Jain, Fujitsu Labs
![Page 2: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/2.jpg)
Outline
Background The Partitioning Approach Model Checking
The naïve algorithm An improved algorithm
Experiments and Conclusion
![Page 3: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/3.jpg)
Outline
Background The Partitioning Approach Model Checking
The naïve algorithm An improved algorithm
Experiments and Conclusion
![Page 4: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/4.jpg)
Sequential Verification Does Implementation fullfil its Specification? Model Checking:
State Based Given: System under test Prove: properties given in a temporal logic (eg: CTL,
LTL)
Required for Model Checking: Input Data : Transition relation Generated : Reachable states, Forbidden states Procedures : Boolean Operations, Image
Computation
![Page 5: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/5.jpg)
Reachability Analysis
S0
2n
From=Reached=S0
do{ To = Img(TR,From) New = To \ Reached Reached = Reached + To From = New}while(New Ø )
Algorithm: Simple property:
![Page 6: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/6.jpg)
Model Checking Hinges on Reachability
Basic Operation: Pre-image
In Simple terms Given “bad” formula f Compute reachable states Compute states satisfying f Pass if intersection is empty
Key issues : State set generation and representation
Extensional, as originally proposed. Symbolic, as now practiced
![Page 7: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/7.jpg)
x
y
z z
y
lowhigh fxfxf
highflowf
Ordered Binary Decision Diagrams
• BDDs with read-once property fixed Variable order
• The restrictions guarantee: + Canonicity+ efficient Algorithms for
Boolean Operations, Tautology, SAT and Equivalence check
• Disadvantage:- Blow-Up possible
• The minimizing problem:• better BDD Types (?)• Transformations (?)• Variable- Reordering
Local Search: Sifting
![Page 8: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/8.jpg)
Symbolic Model Checking Using BDDs to represent sets of
states
Key operation is image computation Using transition relation Necessary to succinctly represent the
transition relationWhat is the problem?
![Page 9: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/9.jpg)
The Bottleneck in VerificationState-based verification, model checking Can be fully automated in principle Why not in practice? State space representation
Symbolically manifests as “BDD blowup” Limits extent of automation Limits size of designs that can be handled
Capacity is restricted by representation size Memory restricts time BDD based tools – crash or thrash
So What can be done?
![Page 10: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/10.jpg)
Outline
Background The Partitioning Approach Model Checking
The naïve algorithm An improved algorithm
Experiments and Conclusion
![Page 11: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/11.jpg)
Partitioned Transition Relation Represented as conjunction of k parts TRi
Easy to construct for synchronous circuits Conjunction of “bitwise” TRi’s – the
transition function of each state variable Set of variables partitioned into k disjoint
subsets Transition functions for variables in each subset
are conjuncted together to give TRi
TR is the implicit conjunction of TRi for i in 1 to k
![Page 12: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/12.jpg)
Partitioned TR (Cont‘d) Basis of reachable states
computation:
Partitioned TR:
)iii
i y)(x(δ y)TR(x,
J
jTR y)TR(x,
TRj
Cluster of ROBDDs Monolithic ROBDD
iiJi
ij y)(x(δ y)(x,TR
![Page 13: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/13.jpg)
Image Computation The image computation step:
Partitioned TR useful due to early quantification (AndExist):
Choice and order of TRj’s is crucial
for a good performance!
Img(TR,A)= xnTRn x2TR2 x1TR1 A)
Img(TR,A)= xTR(x,y) A(x))
![Page 14: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/14.jpg)
Partitioned TR - Observations What is it that is partitioned?
The set of variables The relation
Actual TR is an implicit conjunction Sets of states always ROBDD
During image computation Before and After image computation
![Page 15: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/15.jpg)
So What? Sets of states as ROBDDs
Can get very large TR parts repeatedly conjuncted
During each image Made easier combined with
quantification Still repeated expense
Solution: Partition all state-sets
![Page 16: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/16.jpg)
Partitioned ROBDD (POBDD)
121
k
www )(,0 jijwiw
fiwif ˆ
Xf is its partitioned-ROBDD representation if,
Given the Boolean Function BnBf :
)}ˆ,(,)2
ˆ,2
(),1ˆ,
1{(
kf
kwfwfw
fX
where
BnBiw : BnBif :ˆand
are ROBDDs with variable ordering and,
Note that the ROBDDs in each partition may have a different variables ordering
Each wi is called a window function
f
w1w2
w3w4
f̂1 f̂2
f̂3
f̂4
![Page 17: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/17.jpg)
A simple example
f = c (a1b1 + a2b2) + c (a1a2 + b1b2 )
w1 = c
w2 = c
f1 = c (a1b1 + a2b2)
f2 = c (a1a2 + b1b2 )cc
aa11
00 11
ff11
bb11
aa22
bb22
1 1 : c, : c, aa1, 1, bb1, 1, aa2, 2, bb22
cc
aa11
00 11
ff22
aa22
bb11
bb22
2 2 : c, : c, aa1, 1, aa2, 2, bb1, 1, bb22
![Page 18: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/18.jpg)
On Using Partitioning
Sets of states disjunctively partitioned Key : Use same partitioning windows In particular, set of reachable states
Induces disjunctive partitioning on TR TR is a Relation on state pairs: Quadratic
Notice each such TRij can further be Monolithic, Disjunctive, or Conjunctive
Image computation Must consider to and from set in each
partition
![Page 19: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/19.jpg)
Reachability Revisited
From=Reached=S0
do{ To = Img(TR,From) New = To \ Reached Reached += To From = New}while(New Ø )
Old Algorithm:Notice that From is now partitioned
TR applied to Fromi of partition i,
result Toi is also partitioned
So Toij is owned by partition j
Must be given to j.
Quadratic such transfers!
![Page 20: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/20.jpg)
Image and Reachability
Fix point computations performed On each partition locally Using TRii
Use reachability algorithm on ROBDDs Synchronization between partitions
Cross-over images finds states use TRij , .
Must keep it infrequent Postponed till local fixpoint reached
ji
![Page 21: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/21.jpg)
Reachability Example: Initial set
Event Queue 1 3
I1(x)
w2
w3w4
w1
I3(x)
![Page 22: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/22.jpg)
Local Fix Point
T11
w2
w3w4
w1
I1(x)
I3(x)
Event Queue 3
![Page 23: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/23.jpg)
Cross-over images
Event Queue 3 4
R1
T14
T12
T13
w2
w3w4
w1
I3(x)
![Page 24: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/24.jpg)
Another Local Fix point
Event Queue 4
R1
w2
w3w4
w1
T33I3(x)
![Page 25: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/25.jpg)
More Cross over images
R1
w2
w3w4
w1
R3
T32
T31
T34
Event Queue 24 1
![Page 26: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/26.jpg)
Example, cont.
R1
w2
w3
w1
R3
Event Queue 2 1
w4T44
![Page 27: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/27.jpg)
Outline
Background The Partitioning Approach Model Checking
The naïve algorithm An improved algorithm
Experiments and Conclusion
![Page 28: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/28.jpg)
CTL : temporal properties EX(f), E(fUg), EG(f) form a basis set
Invariant Checking AGp Absence of Deadlock
Return to reset state AGEF(s0)
Temporal Implication AG(p EF q) Liveness EGp, AFp
![Page 29: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/29.jpg)
Outline
Background The Partitioning Approach Model Checking
The naïve algorithm An improved algorithm
Experiments and Conclusion
![Page 30: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/30.jpg)
Image Computation EXp forall (partitions j)
forall (partitions k) PreImg_jk(s) = ∃s′,i[TRjk(s, s′, i) ∧ pk(s′)] reorder BDD PreImgjk from part order k to j
end for Sj = ∨k PreImgjk
end for output S
![Page 31: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/31.jpg)
Least Fix Point E(pUq) S := q , S.old := NULL repeat
S.old := S temp := computeEX(S) forall (partitions j)
Sj := qj ∨ (pj ∧ tempj)
end for
until(S = S.old) output S
![Page 32: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/32.jpg)
Greatest Fix Point EGp S := p repeat
S.old := S temp := computeEX(S) forall (partitions j)
Sj := pj ∧ tempj
end for
until(S = S.old) output S
![Page 33: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/33.jpg)
What’s the problem? Image computation has two parts
Transitions local to a partition (i=j) Transitions Crossing over partitions (i<>j)
Cross-over images are expensive! Get BDDs, maybe from disk Store BDDs, maybe over network Reorder large BDDs
The classical algorithm does one set of cross-over image during each EX.
![Page 34: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/34.jpg)
Outline
Background The Partitioning Approach Model Checking
The naïve algorithm An improved algorithm
Experiments and Conclusion
![Page 35: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/35.jpg)
Least Fix Point E(pUq) S := q, S.old := NULL repeat
S.old := S forall (partitions j)
repeat Sj .old := Sj
Sj := Sj ∨ (pj ∧ EXl(Sj , j)) … under-approximate
until(Sj = Sj .old)
end for S := S ∨ (p ∧ EXc(S)) … add missing
states
until(S = S.old) output S
![Page 36: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/36.jpg)
Greatest Fix Point EGp S := p Border := p ∧ EXc(S) … candidate set repeat
S.old := S forall (partitions j)
repeat Sj .old := Sj
Sj := pj ∧ (EXl(Sj , j) ∨ Borderj) … over-approx until(Sj == Sj .old)
end for Border := p ∧ EXc(S) … prune
states
until(S == S.old) output S
![Page 37: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/37.jpg)
Outline
Background The Partitioning Approach Model Checking
The naïve algorithm An improved algorithm
Experiments and Conclusion
![Page 38: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/38.jpg)
VIS Verilog benchmarksCkt #C/
O Old
#C/O New
C/O Time old
C/O Time new
Total M/C time old
Total M/C time new
S1269 8 8 67 1 93 1
Soap 53 5 592 1 714 28
Ghg 9367 6 166 .15 280 27
Sppint 16 6 4 1 24 2
Gcd 15 7 19 .7 69 108
![Page 39: On Partitioning and Symbolic Model Checking FM 2005](https://reader035.fdocuments.us/reader035/viewer/2022062309/5681594b550346895dc687f4/html5/thumbnails/39.jpg)
Conclusions
Assuming a model where cross-over images are very expensive, the proposed algorithm: Is no worse than the classical algorithm Converges faster, empirically, in terms of
Number of cross-over images Time spent in cross-over images
Reduces total model checking time Often quite significantly
Is good for parallel model checking