1 / 24

Algorithmic Software Verification

Algorithmic Software Verification. V &VI. Binary decision diagrams. References. Symbolic model checking An approach to the state explosion problem Ken McMillan 1992 Graph-based algorithms for Boolean Function Manipulation Randal Bryant, 1986.

watkinsm
Download Presentation

Algorithmic Software Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Algorithmic Software Verification V &VI. Binary decision diagrams

  2. References • Symbolic model checking An approach to the state explosion problem Ken McMillan 1992 • Graph-based algorithms for Boolean Function Manipulation Randal Bryant, 1986

  3. Boolean EFSMs with 1 location EFSMs with boolean variables; one location and no alphabet EFSM = ( X, G_in, T ) X finite set of boolean variables Gin predicate over X Ttransition relation: (g(X), A(X))

  4. Symbolic representation A relation on states is a subset of (S x S). Represent a relation R as a boolean formula over (X  X’) where X’ = { x’ | x is in X } The transition relation is really presented this way: formula: OR{(g(X), A(X)) [ G(x) => A(X’, X) and all other vars remain the same]

  5. Reachability S0 = States satisfying Gin Si+1 = Si { s’ |  s  Si, (g, A)  T, s |= g, s’ = s[A] } Captures breadth-first search.

  6. Reachability S0 = States satisfying Gin Si+1 = Si { s’ |  s  Si, (g, A)  T, s |= g, s’ = s[A] } Symbolically: R0(X) = Gin(X) Ri+1(X) = Ri(X)   Z. ( Ri (Z)  T(Z,X) ) We need a representation of boolean formulas that supports the crucial ops: And, Or, Existential quantification

  7. Binary decision diagrams Intuition: To represent a boolean function f(X): Fix an ordering of the variables X. Take the decision tree of f corresponding this ordering. Now: - Combine any isomorphic subtrees into a single tree - Eliminate nodes whose left and right child are isomorphic. Results in a canonical DAG for f ! Bottom-up procedure  O(n log n)

  8. Definition of BDDs Let V = < v1, v2 , … vn >. A BDD is a DAG with terminals 0 and 1, and every other vertex has two children, the left or 0-child and the right or 1-child. Inductively: a) 0 is a BDD; dim(0)=0; represents False b) 1 is a BDD; dim(1)= 0; represents True c) if d and e are distinct BDDs dim(d) < i, dim(e) < i, then g=(vi , d, e) is a BDD, dim(g) = i and represents the function: [ (xi = false) and fd ] or [ (xi = true) and fe ]

  9. Canonicity If d and e are two vertices of a BDD and fd =fe,then d=e. Proof: By simultaneous indn over dim(d) and dim(e). base case: (0,0) induction step: - consider (i,i) - consider (i,j) where i>j.

  10. Canonicity Lemma: Given a function f (V), there exists a BDD(V) which corresponds to it. Proof: By induction on the greatest i such that f[vi  0] is not same as f[vi  1]

  11. Applying AND Given BDDs p and q, construct BDD r for fp  fq If dim(p) = dim(q), then if p = (vi , lp, hp) and q = (vi , lq, hq) then r[vi  0] = p[vi  0]  q[vi  0] r[vi  1] = p[vi  1]  q[vi  1] If dim(p) > dim(q), then then p is a non-terminal and r[vi  0] = p[vi  0]  q r[vi  0] = p[vi  0]  q

  12. Applying OR Given BDDs p and q, construct BDD r for fp fq If dim(p) = dim(q), then if p = (vi , lp, hp) and q = (vi , lq, hq) then r[vi  0] = p[vi  0] q[vi  0] r[vi  1] = p[vi  1] q[vi  1] If dim(p) > dim(q), then then p is a non-terminal and r[vi  0] = p[vi  0] q r[vi  0] = p[vi  0] q

  13. Applying AND and OR Given BDDs p and q, construct BDD r for fp  fq and fp fq : - Recursively combine left children of p and q to get r, and right children of p and q to get s - Create a node with r and s as children - For base nodes, 00=01=01=0; 11=1 00=0; 01= 10 = 11 = 1 Can be done with O(|p|.|q|) subproblems [dynamic programming] - For each node r in p, and s in q, (r,s) is called only once. - Keep track of results for each (r,s) Hence algorithm is O(|p|.|q|) and resulting BDD is also O(|p|.|q|). Lower bound: There exist functions p and q such that r is O(|p|.|q|).

  14. Applying NOT Switch 0 and 1.

  15. Restriction For a function f, f(v=b) (A) = f(A  (v:=b)) Given BDD for f, compute BDD for f(v=b) - Traverse BDD for f - Turn any edge pointing to v to now point to v - Reduce the BDD (O(nlog n) time)

  16. Existential quantification (EXISTS) For a function f, vf (A) = f(v=0) (A)  f(v=1) (A) Given BDD for f, we can compute BDD for vf (A) in O(n^2) time. Universal quantification is dual.

  17. AndExists  Z. ( Ri (Z)  T(Z,X) ) - Can combine the AND and EXISTS algorithms so that BDD has only |X| variables (and not 2|X| variables)

  18. Deciding questions on BDDs - Satisfiability: Given BDD p representing f, is f satisfiable? If so give one. O(n) time Give all satisfying assignments Sf: O(n.Sf) time

  19. Model-checking using BDDs Reachability( X, Gin(X), T(X,X’), F(X)) [ X – vars; Gin , T(X,X’) and F are BDDs ] R:=0; R’=0; do { R = R’; R’ = R   Z. ( Ri (Z)  T(Z,X) ) ; } while (R≠R’ or RF ≠ 0); if (RF = 0) report “Unreachable” else report “Reachable”;

  20. Model-checking using BDDs Safety( X, Gin(X), T(X,X’), F(X)) [ X – vars; Gin , T(X,X’) and F are BDDs ] R:=0; R’=0; do { R = R’; R’ = R   Z. ( Ri (Z)  T(Z,X) ) ; } while (R≠R’ or RF ≠ 0); if (RF = 0) report “Unsafe” else report “Safe”;

  21. Model-checking using BDDs Other methods possible and are done: -- Backward search from F -- Onion-ring approach -- Examples for reachability/ Counterexamples for safety.

  22. Implementing BDDs BDD packages available: CuDD --- Fabio Somenzi, Colarado Univ. VIS --- Colorado, Berkeley Model checking in practice is resplendent with heuristics: -- Forward/Backward -- Variable ordering Eg. In T(X,X’) order x’ just after x -- Support finite domains directly (MDDs) -- Partitioning of transitions/network -- Choosing right frontiers

  23. To continue… See McMillan’s thesis where he models a synchronous fair bus arbiter circuit. See table: # of states, BDD size and time Wants to check: - No two acks are asserted simultaneously - Every persistent request is eventually ack-ed - Ack is not asserted without a request. Not really safety/reachability properties: so how do we state and check these specs? Temporal logics! Next class: CTL

  24. Homework 3 1. For any n, show that there is a BDD pn over n variables representing a set Sn such that both Sn and the complement (Sn )c are both O(2n) but pn is of size O(n). 2. For any n, show that there is a set Sn over a set V of n variables, such that: --- There is one ordering of V such that BDD for Sn is O(n) --- There is another ordering of V such that BDD for Sn is O(2n). See course webpage for hints.

More Related