1 / 23

Efficient Reachability Analysis for Verification of Asynchronous Systems

Efficient Reachability Analysis for Verification of Asynchronous Systems. Nishant Sinha. Outline. Formal Verification: Motivation Reachability for Asynchronous Systems Partitioned Transition Relations Efficient Reachability Techniques MBFS and Saturation Saturation: Experimental Results

dory
Download Presentation

Efficient Reachability Analysis for Verification of Asynchronous Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha

  2. Outline • Formal Verification: Motivation • Reachability for Asynchronous Systems • Partitioned Transition Relations • Efficient Reachability Techniques • MBFS and Saturation • Saturation: Experimental Results • Conclusions

  3. Formal Verification: Introduction • Use methods from formal logic • Show validity of properties on systems • Formal requirements hold on a design • Software, circuits, protocol models • Alternative to simulation, testing • Not all behaviors covered • Model checking • Verify concurrent systems • Introduced by Clarke et al. (1981) • An automated technique

  4. Model Checking • Finite state-transition model M, Property  • Determine if M satisfies • Properties like: • req is always followed by ack • No error state is reachable from the initial state • Involves Reachability analysis • Generate reachable set of states • State space explosion 2K .... K

  5. Asynchronous Systems • Concurrent Systems • Consist of several execution units • Synchronous • All units take an execution step together • Asynchronous • Units may execute independent of each other • Interleaved semantics of execution • E.g. Concurrent software, asynchronous circuits • Goal: Efficient model checking of asynchronous systems Reduced State-Space Symbolic

  6. (!a Æ a’) (a Æ !a’)  (a Æ a’) a0 1 s0 s1 N(a,a’) = a 0 1 a’ 1 1 Symbolic Model Checking • Use Ordered Binary Decision Diagrams (BDDs) • Canonical, compact, operate on state sets • Encode the system model M with BDDs • States encoded by boolean variables V • Transition relation also as BDD N(V,V’) t3 t1 s1 s0 a < a’ t2 a 1 0 a’ a’ 0 1 0 1 0 1 1 1

  7. Partial-Order Reduction • Alternative model checking approach • Useful if order of execution of transitions is irrelevant • Sufficient to visit a subset of actual reachable state space • Focus of this talk • Full state space reachability using BDDs Choose a representative set of paths s0s0’ b a a s0 s1 s0s1’ s1s0’ a b b s0’ s1’ s1s1’

  8. Reachability Analysis • One-step reachability: • Given a set of states S • Find which states S’ can be reached in one step • Iteratively apply one-step reachability • Until no new states are visited • Breadth-first exploration of graph R0 R1 R2 = R3 b b b c c c a a a e e e f f f d d d g g g

  9. ? The Bigger Picture I1 Combinational Circuit I2 Combinational Circuit Delay Delay o1 o2 o1 = 0 o2 = 0 o1 = 0 o2 = 1 o1 = 1 o2 = 0 o1 = 1 o2 = 1

  10. Symbolic Reachability : Image Computation • Image of a set of states S • Transition relation N: one-step reachability • Basic operation, hence must be efficient • Symbolic image computation: S(V), N(V,V’) BDDs • Img(S,N) = [ 9v2 V (S(V) Æ N(V,V’) )] • Reachability (starting from initial S0): • Reach(S,N) = S [ Img(S,N) • Fixpoint: S. Reach(S,N) • Efficiency problem: Large N(V,V’) • Large intermediate BDD sizes in image computation

  11. Illustration: Intermediate BDD Sizes #States #BddNodes Dining Philosophers model Iterations

  12. Partitioned Transition Relations • Introduced by Burch et al. (BCL91) •  : Conjunction (Æ) or Disjunction () • N(V,V’) = N1 N2 Nk • Typically, each Ni much smaller than N • Asynchronous systems with interleaving semantics: • N(V,V’) = N1 N2 Nk • Ni: only the ith unit executes • Img(S, N) = ViImg(S,Ni) N1 N2 N3 [BCL91]J.R. Burch, E.M. Clarke, and D.E. Long. Symbolic model checking with partitioned transition relations. In A. Halaas and P.B. Denyer, editors, International Conference on Very Large Scale Integration, pages 49-58, Edinburgh, Scotland, 1991. North-Holland.

  13. BDD blowup • Must consider different intermediate combinations of reachable states of concurrent units • Even if they are independent • Adds to intermediate BDD sizes • Idea: Explore each unit separately to avoid such correlation [BCL91] • Modified Breadth-First Search (MBFS) [BCL91]J.R. Burch, E.M. Clarke, and D.E. Long. Symbolic model checking with partitioned transition relations. In A. Halaas and P.B. Denyer, editors, International Conference on Very Large Scale Integration, pages 49-58, Edinburgh, Scotland, 1991. North-Holland.

  14. Modified Breadth-First Search (MBFS) • Given a disjunctive partition: N1,...,Nk • Compute local fixpoints: S. Reach(S,Ni) • Stop when: 8 i. Reach(S,Ni) = S • Lower intermediate BDD sizes • Chaotic fixpoint iterationstrategy • Family of functions: {Reach(S,Ni) j i · k} • Apply functions in arbitrary order till convergence • Must apply each function sufficiently often • Observation: MBFS strategy may not be able to avoid blowups in some cases N1* N2* N3*

  15. Illustration: BDD Blowup in MBFS ... N2 N3 s1 (11) s0 (00) s = (v2, v1, ...) N1, N2, N3, ... N1 N1 s2 (01) s3 (10) N1, N2 N1, N2 BDD explosion v2 v2 v2 N3 MBFS MBFS MBFS 1 0 N1 0 N2 v1 0 v1 0 1 1 1 1 N1 1 (s0) (s0,s2) (s0,s1,s2) (s0,s1,s2,s3)

  16. Saturation: New approach • Assume fixed variable ordering on BDDs: v1 < v2 ... < vk • Define • High(Ni): “least” variable that Ni might change • Low(Ni): “greatest” variable that Ni might change • Order transition relations by [High(Ni), Low(Ni)] : • NjÁ Ni • Nj changes only “lower” BDD variables than Ni v2 1 N2 0 v1 N1 Á N2 N1 1 1

  17. Saturation (Contd.) • Saturate (Ni) do Compute S. Reach(S,Ni) /* states reachable by only Ni */ 8 NjÁ Ni. Saturate (Nj) /*explore all NjÁ Ni */ Until S does not change • Visits all possible reachable states using “lower” transition relations than Ni • Overall Strategy: K partitions • For i= 1 to K. Saturate(Ni) N3* N2* N1*

  18. Saturation: Discussion • Advantages • Exploits independence of concurrent units • Lower intermediate BDD sizes than MBFS • Faster reachability computation in many cases • Drawbacks • May lead to spurious iterations • Relies heavily on good variable ordering

  19. Experimental Results • Implemented Saturation approach in NuSMV model checker • Handles designs of industrial strength OOR: out of resources Comparison with NuSMV with default options

  20. Experimental Results (contd.) • Implemented MBFS approach in NuSMV Comparison with MBFS

  21. Experimental Results (contd.) Iterations Kanban(20): Comparison of Intermediate BDD sizes

  22. Conclusions • Efficient methods to compute reachable states of asynchronous systems • Based on disjunctive partitions • MBFS • Alternative approach: Saturation • Experimentally validated on several examples • Future research • Heuristics for obtaining good BDD variable ordering automatically • Combining Saturation with Partial Order Reduction

  23. Questions ?

More Related