1 / 39

On Partitioning and Symbolic Model Checking FM 2005

On Partitioning and Symbolic Model Checking FM 2005. Subramanian Iyer, UT-Austin Debashis Sahoo, Stanford E. Allen Emerson, UT-Austin Jawahar Jain, Fujitsu Labs. Outline. Background The Partitioning Approach Model Checking The naïve algorithm An improved algorithm

colman
Download Presentation

On Partitioning and Symbolic Model Checking FM 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On Partitioning and Symbolic Model CheckingFM 2005 Subramanian Iyer, UT-Austin Debashis Sahoo, Stanford E. Allen Emerson, UT-Austin Jawahar Jain, Fujitsu Labs

  2. Outline • Background • The Partitioning Approach • Model Checking • The naïve algorithm • An improved algorithm • Experiments and Conclusion

  3. Outline • Background • The Partitioning Approach • Model Checking • The naïve algorithm • An improved algorithm • Experiments and Conclusion

  4. Sequential Verification • Does Implementation fullfil its Specification? • Model Checking: • State Based • Given: System under test • Prove: properties given in a temporal logic (eg: CTL, LTL) • Required for Model Checking: • Input Data : Transition relation • Generated : Reachable states, Forbidden states • Procedures : Boolean Operations, Image Computation

  5. S0 Reachability Analysis Algorithm: Simple property: 2n From=Reached=S0 do{ To = Img(TR,From) New = To \ Reached Reached = Reached + To From = New }while(New  Ø ) • C • D

  6. Model Checking • Hinges on Reachability • Basic Operation: Pre-image • In Simple terms • Given “bad” formula f • Compute reachable states • Compute states satisfying f • Pass if intersection is empty • Key issues : State set generation and representation • Extensional, as originally proposed. • Symbolic, as now practiced

  7. x y y z z 1 0 OrderedBinary Decision Diagrams • BDDs with • read-once property • fixed Variable order • The restrictions guarantee: • Canonicity • efficient Algorithms for Boolean Operations, Tautology, SAT and Equivalence check • Disadvantage: • Blow-Up possible • The minimizing problem: • better BDD Types (?) • Transformations (?) • Variable- Reordering • Local Search: Sifting

  8. Symbolic Model Checking • Using BDDs to represent sets of states • Key operation is image computation • Using transition relation • Necessary to succinctly represent the transition relation What is the problem?

  9. The Bottleneck in Verification State-based verification, model checking • Can be fully automated in principle Why not in practice? • State space representation • Symbolically manifests as “BDD blowup” • Limits extent of automation • Limits size of designs that can be handled • Capacity is restricted by representation size • Memory restricts time • BDD based tools – crash or thrash So What can be done?

  10. Outline • Background • The Partitioning Approach • Model Checking • The naïve algorithm • An improved algorithm • Experiments and Conclusion

  11. Partitioned Transition Relation • Represented as conjunction of k parts TRi • Easy to construct for synchronous circuits • Conjunction of “bitwise” TRi’s – the transition function of each state variable • Set of variables partitioned into k disjoint subsets • Transition functions for variables in each subset are conjuncted together to give TRi • TR is the implicit conjunction of TRi for i in 1 to k

  12. Partitioned TR (Cont‘d) • Basis of reachable states computation: • Partitioned TR: TRj Cluster of ROBDDs Monolithic ROBDD

  13. Image Computation • The image computation step: • Partitioned TR useful due to early quantification (AndExist): • Choice and order of TRj’s is crucial for a good performance! Img(TR,A)= $x( TR(x,y) A(x)) Img(TR,A)= $xn( TRn ...$x2( TR2 $x1( TR1 A)))...)

  14. Partitioned TR - Observations • What is it that is partitioned? • The set of variables • The relation • Actual TR is an implicit conjunction • Sets of states always ROBDD • During image computation • Before and After image computation

  15. So What? • Sets of states as ROBDDs • Can get very large • TR parts repeatedly conjuncted • During each image • Made easier combined with quantification • Still repeated expense • Solution: Partition all state-sets

  16. f ^ ^ ^ ^ f2 f4 f3 f1 Partitioned ROBDD (POBDD) Given the Boolean Function Xfis its partitioned-ROBDD representation if, where and are ROBDDs with variable ordering pi, and, w2 w1 Each wiis called a window function Note that the ROBDDs in each partition may have a different variables ordering pi w4 w3

  17. A simple example f = c (a1b1 + a2b2) + c (a1a2 + b1b2 ) w1 = c w2 = c f1 = c (a1b1 + a2b2) f2 = c (a1a2 + b1b2 ) f2 f1 c c     a1 a1 a2 b1 b1 a2 b2 b2 1 1 0 0 2 : c, a1, a2, b1, b2 1 : c, a1, b1, a2, b2

  18. On Using Partitioning • Sets of states disjunctively partitioned • Key : Use same partitioning windows • In particular, set of reachable states • Induces disjunctive partitioning on TR • TR is a Relation on state pairs: Quadratic • Notice each such TRijcan further be • Monolithic, Disjunctive, or Conjunctive • Image computation • Must consider to and from set in each partition

  19. Reachability Revisited Old Algorithm: From=Reached=S0 do{ To = Img(TR,From) New = To \ Reached Reached += To From = New }while(New  Ø ) Notice that From is now partitioned TR applied to Fromiof partition i, result Toiis also partitioned So Toijis owned by partition j Must be given to j. Quadratic such transfers!

  20. Image and Reachability • Fix point computations performed • On each partition locally Using TRii • Use reachability algorithm on ROBDDs • Synchronization between partitions • Cross-over images finds states use TRij , . • Must keep it infrequent • Postponed till local fixpoint reached

  21. Reachability Example: Initial set w2 w1 I1(x) I3(x) w3 w4 Event Queue 1 3

  22. w2 w1 I1(x) T11 I3(x) w3 w4 Event Queue 3 Local Fix Point

  23. Event Queue 3 4 Cross-over images w2 w1 T12 R1 T14 T13 I3(x) w3 w4

  24. w2 w1 R1 T33 I3(x) w3 w4 Event Queue 4 Another Local Fix point

  25. w2 w1 R1 T31 T32 T34 R3 w3 w4 Event Queue 4 2 1 More Cross over images

  26. w2 w1 R1 T44 R3 w3 w4 Event Queue 1 2 Example, cont.

  27. Outline • Background • The Partitioning Approach • Model Checking • The naïve algorithm • An improved algorithm • Experiments and Conclusion

  28. CTL : temporal properties • EX(f), E(fUg), EG(f) form a basis set • Invariant Checking AGp • Absence of Deadlock • Return to reset state AGEF(s0) • Temporal Implication AG(p  EF q) • Liveness EGp, AFp

  29. Outline • Background • The Partitioning Approach • Model Checking • The naïve algorithm • An improved algorithm • Experiments and Conclusion

  30. Image Computation EXp • forall (partitions j) • forall (partitions k) • PreImg_jk(s) = ∃s′,i[TRjk(s, s′, i) ∧ pk(s′)] • reorder BDD PreImgjk from part order k to j end for • Sj = ∨k PreImgjk end for • output S

  31. Least Fix Point E(pUq) • S := q , S.old := NULL • repeat • S.old := S • temp := computeEX(S) • forall (partitions j) • Sj := qj ∨ (pj ∧ tempj) end for until(S = S.old) • output S

  32. Greatest Fix Point EGp • S := p • repeat • S.old := S • temp := computeEX(S) • forall (partitions j) • Sj := pj ∧ tempj end for until(S = S.old) • output S

  33. What’s the problem? • Image computation has two parts • Transitions local to a partition (i=j) • Transitions Crossing over partitions (i<>j) • Cross-over images are expensive! • Get BDDs, maybe from disk • Store BDDs, maybe over network • Reorder large BDDs • The classical algorithm does one set of cross-over image during each EX.

  34. Outline • Background • The Partitioning Approach • Model Checking • The naïve algorithm • An improved algorithm • Experiments and Conclusion

  35. Least Fix Point E(pUq) • S := q, S.old := NULL • repeat • S.old := S • forall (partitions j) • repeat • Sj .old := Sj • Sj := Sj ∨ (pj ∧ EXl(Sj , j)) … under-approximate until(Sj = Sj .old) end for • S := S ∨ (p ∧ EXc(S)) … add missing states until(S = S.old) • output S

  36. Greatest Fix Point EGp • S := p • Border := p ∧ EXc(S) … candidate set • repeat • S.old := S • forall (partitions j) • repeat • Sj .old := Sj • Sj := pj ∧ (EXl(Sj , j) ∨ Borderj) … over-approx • until(Sj == Sj .old) end for • Border := p ∧EXc(S) … prune states until(S == S.old) • output S

  37. Outline • Background • The Partitioning Approach • Model Checking • The naïve algorithm • An improved algorithm • Experiments and Conclusion

  38. VIS Verilog benchmarks

  39. Conclusions Assuming a model where cross-over images are very expensive, the proposed algorithm: • Is no worse than the classical algorithm • Converges faster, empirically, in terms of • Number of cross-over images • Time spent in cross-over images • Reduces total model checking time • Often quite significantly • Is good for parallel model checking

More Related