1 / 48

BDD vs. Constraint Based Model Checking: An Experimental Evaluation for Asynchronous Concurrent Systems

BDD vs. Constraint Based Model Checking: An Experimental Evaluation for Asynchronous Concurrent Systems. Tevfik Bultan Department of Computer Science University of California, Santa Barbara bultan@cs.ucsb.edu http://www.cs.ucsb.edu/~bultan/. Outline. Concurrency problems

benjiro
Download Presentation

BDD vs. Constraint Based Model Checking: An Experimental Evaluation for Asynchronous Concurrent Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BDD vs. Constraint Based Model Checking: An Experimental Evaluation for Asynchronous Concurrent Systems Tevfik Bultan Department of Computer Science University of California, Santa Barbara bultan@cs.ucsb.edu http://www.cs.ucsb.edu/~bultan/

  2. Outline • Concurrency problems • Symbolic model checking • Functionality required for symbolic model checking • BDD representation • Constraint representation • Experimental results • Related work • Conclusions

  3. Program: Bakery Data Variables: a, b: positive integer Control Variables: pc1, pc2: {T, W, C} Initial Condition: a=b=0 & pc1=T1 & pc2=T2 Events: eT1:pc1=T & pc1’=W & a’=b+1 eW1:pc1=W & (a<b | b=0) & pc1’=C eC1:pc1=C & pc1’=T & a’=0 eT2:pc2=T & pc2’=W & b’=a+1 eW2:pc2=W & (b<a | a=0) & pc2’=C eC2:pc2=C & pc2’=T & b’=0 BAKERY: AG(!(pc1=c & pc2=C))

  4. Program: Barber Data Variables: cinchair,cleave,bavail, bbusy,bdone: positive integer Control Variables: pc1,pc2,pc3: {1,2} Initial Condition: cinchair=cleave=bavail =bbusy=bdone=0 & pc1=pc2=pc3=1 Events: eHairCut1:pc1=1 & pc1’=2 & cinchair<bavail & cinchair’=cinchair+1 eHairCut2:pc1=2 & pc1’=1 & cleave<bdone & cleave’=cleave+1 eNext1:pc2=1 & pc2’=2 & bavail’=bavail+1 eNext2:pc2=2 & pc2’=1 & bbusy<cinchair & bbusy’=bbusy+1 eFinish1:pc3=1 & pc3’=2 & bdone<bbusy & bdone’=bdone+1 eFinish2:pc3=2 & pc3’=1 & bdone=cleave

  5. BARBER: AG(cinchair >=cleave & bavail>=bbusy>=bdone & cinchair<=bavail & bbusy<=cinchair & cleave<=bdone) BARBER-1: AG(cinchair>=cleave & bavail>=bbusy>=bdone) BARBER-2: AG(cinchair<=bavail & bbusy<=cinchair) BARBER-3: AG(cleave<=bdone)

  6. Program:Readers-Writers Data Variables: nr, nw: positive integer Initial Condition: nr=nw=0 Events: eReaderEnter:nw=0 & nr’=nr+1 eReaderExit:nr>0 & nr’=nr-1 eWriterEnter:nr=0 & nw= 0 & nw’=nw+1 eWriterExit:nw>0 & nw=nw-1 READERS-WRITERS: AG((nr=0 | nw=0) & nw<=1)

  7. Program: Bounded-Buffer Parameterized Constant: size: positive integer Data Variables: available, produced, consumed: positive integer Initial Condition: produced=consumed=0 & available = size Events: eProduce:0<available & produced’=produced+1 & available’=available-1 eConsume:available<size & consumed’=consumed+1 & available’=available+1

  8. BOUNDED-BUFFER: AG(produced-consumed=size-available & 0<=available<=size) BOUNDED-BUFFER-1: AG(produced-consumed=size-available) BOUNDED-BUFFER-2: AG(0<=available<=size) BOUNDED-BUFFER-3: AG(0<=produced-consumed<=size)

  9. Program: Circular-Queue Parameterized Constant: size: positive integer Data Variables: occupied,head,tail, produced, consumed : positive integer Initial Condition:occupied=head=tail =produced=consumed=0 Events: eProduce:occupied<size & occupied’=occupied+1 & produced’=produced+1 & (tail=size & tail’=0 | tail<size & tail’=tail+1) eConsume:occupied>0 & occupied’=occupied-1 & consumed’=consumed+1 & (head=size & head’=0 | head<size & head’=head+1)

  10. CIRCULAR-QUEUE: AG(0<=produced-consumed<=size & produced-consumed=occupied) CIRCULAR-QUEUE-1: AG(0<=produced-consumed<=size) CIRCULAR-QUEUE-2: AG(produced-consumed=occupied)

  11. Model Checking Given a program and a temporal propertyp: • Either show that all the initial states satisfy the temporal propertyp • set of initial states  truth set of p • Or find an initial state which does not satisfy the propertyp • a state  set of initial states  truth set of p

  12. Temporal Properties  Fixpoints EF p p  (EX p)  EX (EX p)  … 1 2 3

  13. Temporal Properties  Fixpoints • Note that • AG p   EF( p ) • Other temporal operators can also be represented as fixpoints • AF p , EG p , p AU q , p EU q

  14. Tools Required for Model Checking • Basic set operations intersection, union, set difference • to handle    • Equivalence Checking • to check if the fixpoint is reached • Relational image computation • for precondition operation EX

  15. Functionality of a Symbolic Representation Symbolic And(Symbolic,Symbolic) Symbolic Or(Symbolic,Symbolic) Symbolic Not(Symbolic) Boolean Equivalent(Symbolic,Symbolic) Symbolic EX(Symbolic)

  16. BDDs • Efficient representation for boolean functions • Disjunction, conjunction complexity: at most quadratic • Negation complexity: constant • Equivalence checking complexity: constant or linear • Image computation complexity: can be exponential

  17. BDD encoding for Integer Variables • Systems with bounded integer variables can be represented using BDDs • Use a binary encoding • represent integer x as x0x1x2... xk • where x0, x1, x2, ... , xk are binary variables • You have to be careful about the variable ordering!

  18. Integers in SMV • SMV represents integers using a binary encoding • In the BDD variable ordering current and next state bits of an integer variable are interleaved • good for x’ =x • Bits of different variables are not interleaved • What happens when we have x’ = y ?

  19. x2 x2’ x1 x1’ x0 x0’ y2 y2’ y1 y1’ y0 y0’ We have to remember every x’ bit until this point for x’ = y

  20. William Chan’s Ordering • Using a preprocessor converts integer variables to boolean variables • Interleaves bits of all integer variables in the BDD ordering • Results with much better performance for systems with integer variables

  21. Linear Arithmetic Constraints • Constraints • Constraint representation  ai xi = c  ai xi c 1  i  n 1  i  n  constraintkl 1  k  h 1  l  m

  22. Linear Arithmetic Constraints • Can be used to represent unbounded integers • Disjunction complexity: linear • Conjunction complexity: quadratic • Negation complexity: can be exponential • Equivalence checking complexity: can be exponential • Image computation complexity: can be exponential

  23. Image Computation in Omega Library • Extension of Fourier-Motzkin variable elimination for real variables • Eliminating one variable from a conjunction of constraints may double the number of constraints • Integer variables complicate the problem even further

  24. Fourier-Motzkin Variable Elimination • Given two constraints   bz and az   we have a  abz  b • We can eliminate z as: z . a  abz  b if and only if a  b • Every upper and lower bound pair can generate a separate constraint, the number of constraints can double for each eliminated variable real shadow

  25. Integers are More Complicated • If z is integer z . a  abz  b if a + (a - 1)(b - 1) b • Remaining solutions can be characterized using periodicity constraints in the following form: z .  + i = bz dark shadow

  26. Consider the constraints: y . 03y – x  7  1 x – 2y  5 We get the following bounds for y: 2x 6y 6y 2x + 14 3x - 15 6y 6y  3x - 3 When we combine 2 lower bounds with 2 upper bounds we get four constraints: 0  14 , 3  x,x  29 , 0  12 Result is: 3  x  29

  27. y x – 5  2y 2y  x – 1 x 3y 3y  x + 7 3 29 x dark shadow real shadow

  28. Systems with Bounded Integer Variables • BDDs and constraint representations are both applicable • Which one is better?

  29. Experiments • Intel Pentium PC (500MHz, 128MByte main memory) • Three approaches are compared • SMV • SMV with Chan’s interleaved variable ordering • Omega library model checker

  30. BAKERY: AG(!(pc1=c & pc2=C)) BARBER: AG(cinchair >=cleave & bavail>=bbusy>=bdone & cinchair<=bavail & bbusy<=cinchair & cleave<=bdone) BARBER-1: AG(cinchair>=cleave & bavail>=bbusy>=bdone) BARBER-2: AG(cinchair<=bavail & bbusy<=cinchair) BARBER-3: AG(cleave<=bdone) READERS-WRITERS: AG((nr=0 | nw=0) & nw<=1) BOUNDED-BUFFER: AG(produced-consumed=size-available & 0<=available<=size) BOUNDED-BUFFER-1: AG(produced-consumed=size-available) BOUNDED-BUFFER-2: AG(0<=available<=size) BOUNDED-BUFFER-3: AG(0<=produced-consumed<=size) CIRCULAR-QUEUE: AG(0<=produced-consumed<=size & produced-consumed=occupied) CIRCULAR-QUEUE-1: AG(0<=produced-consumed<=size) CIRCULAR-QUEUE-2: AG(produced-consumed=occupied)

  31. SMV (interleaved) Omega Each integer variable is restricted to 0  i  1024

  32. SMV (interleaved) Omega Each integer variable is restricted to 0  i  1024 Size of the buffer is restricted to 0  size  16

  33. Constraint-Based Verification:Not a New Idea • [Cooper 71]: used a decision procedure for Presburger arithmetic to verify sequential programs represented in a block form • [Cousot and Halbwachs 78]: used real arithmetic constraints to discover invariants of sequential programs

  34. Constraint-Based Verification: • [Halbwachs 93]: constraint based delay analysis in synchronous programs • [Halbwachs et al. 94]: verification of linear hybrid systems using constraint representations • [Alur et al. 96]: HyTech, a model checker for hybrid systems

  35. Constraint-Based Verification • [Boigelot and Wolper 94]: symbolic verification with periodic sets • [Bultan et al. 97, 99]: used Presburger arithmetic constraints for model checking concurrent systems • [Delzanno and Podelski 99]: built a model checker using constraint logic programming framework

  36. BDD-Based Verification • [Bryant 86]: Reduced ordered BDDs • [Coudert et al. 90]: BDD-based verification • [Burch et al. 90]: Symbolic model checking • [McMillan 93]: SMV

  37. Combining BDDs and Constraints • [Chan et al. 97]: combining BDD representation with a constraint solver (it can handle nonlinear constraints but the transition system is restricted) • [Bultan et al. 98, 00]: combining different symbolic representations in one model checker (combined BDDs and linear arithmetic constraints in a disjunctive form)

  38. Automata-Based Representations • [Klarlund et al. 95]: MONA, an automata manipulation tool for verification • [Wolper and Boigelot]: verification using automata as a symbolic representation • [Kukula et al. 98]: application of automata based verification to hardware verification

  39. Automata vs. Constraint Representation • [Kukula et al. 98]: comparison of automata and constraint-based verification • comparison based on reachability analysis • no clear winner • on some cases automata based approach seems to show asymptotic advantage • this could be due to inefficient encoding of booleans in constraint representation

  40. Conclusions • Constraint-based representations can be more efficient for integer variables with large domains • BDD-based model checking is more robust • Constraint-based model checkers can handle infinite state systems • Constraint-based model checking suffers from inefficient representation of variables with small domains • I believe there is room for improvement for constraint-based model checking techniques

More Related