290 likes | 310 Views
Range Minimization. O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel. Code generation. C. DC+. CVT. Verification Condition Generator. Auto-decomposition. Abstraction. Abstraction Level ++. Range Minimizer. TLV (verifier). Uninterpreted functions.
E N D
Range Minimization O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel Weizmann Institute
Code generation C DC+ CVT Verification Condition Generator Auto-decomposition Abstraction Abstraction Level ++ Range Minimizer TLV (verifier) Weizmann Institute
Uninterpreted functions From a general formula: To a formula with uninterpreted functions Weizmann Institute
Ackerman’s reduction From a formula with uninterpreted functions: To a formula in the theory of equality Weizmann Institute
Choosing a minimal range for the integer variables 0. a,b,c,d,e : {0..65536} (1.2 E24) (normal) 1. a,b,c,d,e : {1..5} (3125) (1..n) 2. a,b,c : {1..3} (connectivity d,e : {1..2} (108) analysis) 3. a: {1}, b:{1-2}, c: {1-3} (factorial d: {1}, e: {1-2} (12) reduction) 4. ... ... ... Weizmann Institute
D* D The Range-Minimization Problem Given a quantifier-free formula with equalities only, find in polynomial time the minimal domain needed to preserve its truth value D : Infinite domain D*: finite domain Weizmann Institute
Using the (1..11) range imposes a state space of 1111 We can do much better: x1 x2 y1 y2 g1 g2 u1 f1 f2 u2 z x1,y1,u1:{0}x2, y2, f1, f2, u2 : {0,1} g1:{0,1}g2: {0,2}z: {0,3} These ranges impose a state-space of 28=256 Weizmann Institute
Before and after, in SMV Weizmann Institute
Using Normal Form to analyze the formula The Disjunctive Normal Form of a formula can be exponentially long in its original size Yet... Weizmann Institute
Prediction of the negation sign in DNF The negation sign of each comparison, if transformed to DNF, can be predicted in polynomial time. Counting negations in the parsing tree: d=e a=b b=c Weizmann Institute
The negation signcan be predicted in P-time. The clausescan not be predicted in P-time. Weizmann Institute
If is false, then it has at least one falsifying vector Without knowing the partitioning of to clauses, we have to consider ~all combinations: Weizmann Institute
A graphical representation {0,1} 0 1 0 1 0 x1 x2 y1 y2 g1 g2 u1 f1 f2 u2 z {0,1} 0 0 {0,1} {0,1} These ranges impose a state-space of 16 Weizmann Institute
The Range-Minimization Algorithm Step I - preprocessing Add a single unique value to G/G= edges, and remove them from the graph: 0 1 0 1 x1 x2 y1 y2 g1 g2 u1 f1 f2 u2 z Weizmann Institute
Step II - Set construction For each shared vertex, following an arbitrary order: 1. Add a unique value 2. Broadcast the value on G 3. Remove it from the graph 0 0 1. g1 g2 z {0,1} g1 g2 0 0 z {0,1} 2. {0,1} g1 z {0,1} Weizmann Institute
0 0 0 0 u1 f1 f2 u2 1. {0,1} {0,1} {0,1} 2. f1 f2 u2 {0,1,2} {0,1,2} 3. f2 u2 {0,1,2,3} 4. u2 0 {0-1} {0-2} {0-3} u1 f1 f2 u2 Weizmann Institute
Why is the algorithm sound? For each G component, in a given vector: As a common value, choose the value originated in the first shared vertex that was removed. {0,1} 0 0 1 0 1 x1 x2 y1 y2 g1 g2 u1 f1 f2 u2 z {0,1} 0 {0-1} {0-2} {0-3} The availability of these values is guaranteed by step II. Weizmann Institute
Order makes a difference {0} {0,1} {0,1,2} {0,1,2,3} Order: I II III IV State-space=24 {1,0} {1} {1,2} {1,2,3} Order: III I II IV State-space=12 Weizmann Institute
G’ Order makes a difference Construct G’(V,E): V: The shared vertexes of G E: An edge for every two shared vertexes connected directly on G The Minimal Vertex Cover (MVC) of G’: the minimal set of vertexes that cover all edges of G’. Weizmann Institute
Order makes a difference The MVC problem is NP-Hard. Therefore we use a heuristic called the greedy algorithm: 1. Remove vertexes in a descending order of degree, until G’ is covered 2. Remove the rest of the vertexes in an arbitrary order G’ Order: III I II IV Weizmann Institute
Order makes a difference Vi - The i-th vertex in the order Si - The computed set of values for Vi mvck - the set of vertexes in the MVC of component k mk = |mvck| G’ For each Vimvck : |Si|i. mk! For each Vi mvck : |Si|mk+1 The upper bound for the state space is: In our case the upper bound is Weizmann Institute
Colors make a difference {1,0} {1} {1,2} {1,2,3} Order: III I II IV State-space=12 {1,0} {1} {1} {1,0} Order: III I II IV State-space=4 Weizmann Institute
Colors make a difference Construct G’’(V,E) and ‘color’ it: V: The shared vertexes of G E: Add an edge for every two shared vertexes that: 1. Are connected through exactly one solid edge (V1,V2) in G. 2. Are dominant, due to the ordering, in deciding the value of V1 and V2 v3 v4 If v3<v1 and v4<v2 then color(v3) color(v4) v1 v2 v1<v3 Weizmann Institute
Colors make a difference yk - the number of colors in mvck (ykmk) G’’ {0,1} {0} {0} {0,1} For every vertex Vi s.t. iyk : |Si|i For every vertex Vi s.t. yk<imk : |Si|yk For every vertex Vi s.t. mk<ink : |Si|yk+1 The state-space upper-bound : Weizmann Institute
In our case: yk=1, mk=2, nk=4 and the upper bound is {0,1} 0 1 0 1 0 x1 x2 y1 y2 g1 g2 u1 f1 f2 u2 z {0,1} 0 0 {0,1} {0,1} Weizmann Institute
The worst case: double cliques • One connected component (nk=n) • All vertexes are shared • Worst vertex-cover: mk = nk-1 • Worst coloring: yk=mk Worst state-space = n! A 4 double-clique Weizmann Institute
Formulas with constants {1,5} {1,2,5} a b 5 The maximal state-space of a formula with ck constants: In the worst case: Weizmann Institute
The range minimization algorithm - FAQ: • The Range minimization algorithm is proven to be sound for any mixed graph. • It utilizes heuristics from 3 famous NP-hard problems: Coloring, Set Cover and Minimal Vertex-Cover • Under the limitation of the above heuristics, in most cases the algorithm finds a solution which is very close to the optimal one. • The implementation is ~ 700 lines long and available Weizmann Institute
Experimental Results • Before : 92% verified in reasonable time After: 99.9% verified in reasonable time (solved almost all hard models) • With the Range Minimization Module, CVT verified formulas that originally had a state-space of 150150 and more. Weizmann Institute