1 Implicit and explicit exploration of the reachable state space of Esterel logical circuits December 12 th, 2002 Yannis BRES Advisor: Gérard BERRY PhD.

Slides:



Advertisements
Similar presentations
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Advertisements

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
1 Title Page Implicit and Explicit Reachable State Space Exploration Of Esterel Logical Circuits Advisor :
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Timed Automata.
Analyzing and Verifying Esterel Programs Taisook Han , Division of Computer Science, KAIST.
ECE Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
Syntax-driven partitioning for model-checking of Esterel programs Eric Vecchié - INRIA Aoste.
SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Syntax-driven partitioning for model-checking of Esterel programs Eric Vecchié - INRIA Tick.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Class Presentation on Binary Moment Diagrams by Krishna Chillara Base Paper: “Verification of Arithmetic Circuits using Binary Moment Diagrams” by.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
Esterel Overview Roberto Passerone ee249 discussion section.
ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
ECE Synthesis & Verification - Lecture 18 1 ECE 697B (667) Spring 2006 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Word-level.
Sanjit A. Seshia and Randal E. Bryant Computer Science Department
Computation Engines: BDDs and SAT (part 2) 290N: The Unknown Component Problem Lecture 8.
Taylor Expansion Diagrams (TED): Verification EC667: Synthesis and Verification of Digital Systems Spring 2011 Presented by: Sudhan.
Swerve: Semester in Review. Topics  Symbolic pointer analysis  Model checking –C programs –Abstract counterexamples  Symbolic simulation and execution.
Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.
ECE Synthesis & Verification - Lecture 10 1 ECE 697B (667) Spring 2006 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Binary.
 2001 CiesielskiBDD Tutorial1 Decision Diagrams Maciej Ciesielski Electrical & Computer Engineering University of Massachusetts, Amherst, USA
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Direction of analysis Although constraints are not directional, flow functions are All flow functions we have seen so far are in the forward direction.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
A Mystery Esterel –small no type inference, subtyping, … no recursion, functions, … no pointers, malloc, GC, … no complex data structures, libraries,
1 Software Testing Techniques CIS 375 Bruce R. Maxim UM-Dearborn.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Compiling ESTEREL circuits into finite states machines BRES Yannis Stage de DEA d’Informatique 1998/1999.
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: BDD BDDs applied in equivalence checking.
Identifying Reversible Functions From an ROBDD Adam MacDonald.
Binary Decision Diagrams (BDDs)
Model Checking Lecture 4 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
Theory of Computing Lecture 15 MAS 714 Hartmut Klauck.
Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.
“Software” Esterel Execution (work in progress) Dumitru POTOP-BUTUCARU Ecole des Mines de Paris
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View BDDs.
© S. Ramesh / Kavi Arya / Krithi Ramamritham 1 IT-606 Embedded Systems (Software) S. Ramesh Kavi Arya Krithi Ramamritham KReSIT/ IIT Bombay.
Umans Complexity Theory Lectures Lecture 1a: Problems and Languages.
Convergence of Model Checking & Program Analysis Philippe Giabbanelli CMPT 894 – Spring 2008.
On the Relation between SAT and BDDs for Equivalence Checking Sherief Reda Rolf Drechsler Alex Orailoglu Computer Science & Engineering Dept. University.
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View BDDs.
- 1 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Validation - Formal verification -
Verification & Validation By: Amir Masoud Gharehbaghi
1 Distributed BDD-based Model Checking Orna Grumberg Technion, Israel Joint work with Tamir Heyman, Nili Ifergan, and Assaf Schuster CAV00, FMCAD00, CAV01,
BDDs1 Binary Tree Representation The recursive Shannon expansion corresponds to a binary tree Example: Each path from the root to a leaf corresponds to.
To Split or to Conjoin: The Question in Image Computation 1 {mooni, University of Colorado at Boulder 2 Synopsys.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
Hardwired Control Department of Computer Engineering, M.S.P.V.L Polytechnic College, Pavoorchatram. A Presentation On.
Equivalence checking Prof Shobha Vasudevan ECE 598SV.
SOFTWARE TESTING LECTURE 9. OBSERVATIONS ABOUT TESTING “ Testing is the process of executing a program with the intention of finding errors. ” – Myers.
Verification vs. Validation Verification: "Are we building the product right?" The software should conform to its specification.The software should conform.
Teooriapäevad, Vanaõue, Sept Synthesis of Test Purpose Directed Reactive Planning Tester for Nondeterministic Systems 1 Jüri Vain, Kullo Raiend,
Introduction to Formal Verification
Discrete Controller Synthesis
An explicit state model checker
State Abstraction Techniques for the Verification of Reactive Circuits
Presentation transcript:

1 Implicit and explicit exploration of the reachable state space of Esterel logical circuits December 12 th, 2002 Yannis BRES Advisor: Gérard BERRY PhD Defense

2 Outline Introduction: Context of this work, the reactive synchronous approach, Esterel, automata and circuits, reachable state space computation, BDDs I – Pure implicit approach: A formal verifier offering variable inputization or abstraction II – Enumerative approach: A versatile engine for the exploration of reachable state spaces: Automaton generation Formal verification Exhaustive test sequence generation Conclusions and future prospects

3 The reactive synchronous approach Based upon the semantic model of Finite State Machines (FSMs) Reactive programs: Execution split in reactions (instants), time is discrete Synchronous programs: Theoretical simplification: reaction duration is 0, instantaneous broadcast Environment analysis then reaction to this environment Broad application domain: Real-time systems Control/supervision of industrial processes Embedded systems Physical controlers …

4 Esterel A reactive synchronous imperative language with control-flow dominance Modules/blocks run in parallel or sequentially Modules/blocks can be preempted, suspended and resumed Communication performed through instantaneously broadcast signals Formal semantics module Synchronize : inputA, B; outputO; [ await A || await B ] ; emit O end module

5 Explicit automata Central design representation in Esterel v1, v2, v3: automata module Synchronize : inputA, B; outputO; [ await A || await B ] ; emit O end module Automata can be exponentials both:  in construction time  in storage space

6 Circuits Central design representation since Esterel v4: logical circuits Generation time and storage space are linear with respect to source code size

7 Automata vs. Circuits Let's add a C signal in the previous program…

8 Automata vs. Circuits Let's add a C signal in the previous program…

9 Formal verification by observers module Synchronize : inputA, B; outputO; [ await A || await B ] ; emit O end module abort await O ; emit BUG when A || Observers run in parallel with the program to be verified Safety properties: "something wrong never occurs" Safety properties: "something good will occur sooner or later" Answer formally to the question: "can BUG ever be emitted?"

10 Reachable state space computation reachable state space computation (RSS) Cornerstone of numerous applications: automaton generation generation of exhaustive test sequences formal verification equivalence checking

11 Reachable state space computation approachstate analysis transition analysis pure implicit BDDs enumerative implicit explicit Several approaches to RSS computation: "Onion" representation, by depth level: Initial state States reachable in 1 tick States reachable in 2 ticks States reachable in 3 ticks …

12 Binary Decision Diagrams (BDDs) Variable ordering is constant within the whole tree (here: x 1 < y 1 < x 2 < y 2 ) Variable node (x 1, x 2, y 1, y 2 ) Terminal node (0 or 1 constants) "When false" path "When true" path x1x1 y1y1 y1y1 x2x2 x2x2 x2x2 x2x2 y2y2 y2y2 y2y2 y2y2 y2y2 y2y2 y2y2 y2y (x 1  y 1 )  (x 2  y 2 )

13 Binary Decision Diagrams (BDDs) Several simplification rules: x1x1 y1y1 y1y1 x2x2 x2x2 x2x2 x2x2 y2y2 y2y2 y2y2 y2y2 y2y2 y2y2 y2y2 y2y ) 0 Useless tests are removed (x 1  y 1 )  (x 2  y 2 )

14 Binary Decision Diagrams (BDDs) Several simplification rules: x1x1 y1y1 y1y1 x2x2 x2x2 y2y2 y2y2 y2y2 y2y ) 0 2) Useless tests are removed Isomorph nodes/trees are shared (x 1  y 1 )  (x 2  y 2 )

15 Binary Decision Diagrams (BDDs) Several simplification rules: 1) 2) 3) x2x2 x2x2 x2x2 y2y2 y2y2 y2y2 y2y2 y2y2 y2y x1x1 y1y1 y1y1 x2x2 y2y2 y2y2 10 Useless tests are removed Isomorph nodes/trees are shared Edges are tagged in order to share opposite nodes (not shown here) (x 1  y 1 )  (x 2  y 2 )

16 Binary Decision Diagrams (BDDs) Worst-case complexities in both time and space: In most cases: Very efficient algorithms for boolean function manipulations A very compact representation of boolean functions Representation of sets through their caracteristic function Representation of functions associated to circuit gates Uses: =, -constant , ,  quadratic , substitutions exponential

17 Reachable state space computation using BDDs Exponentially complex wrt the number of involved variables: 1 BBD variable per input Intermediate variable: must be , doesn't appear in results 1 BDD variable per state variables (register/latch)  Goal: reducing the number of state variables! Persistent variable: must be , appears in results

18 Outline Introduction: Context of this work, the reactive synchronous approach, Esterel, automata and circuits, reachable state space computation, BDDs I – Pure implicit approach: A formal verifier offering variable inputization or abstraction II – Enumerative approach: A versatile engine for the exploration of reachable state spaces: Automaton generation Formal verification Exhaustive test sequence generation Conclusions and future prospects

19 Reducing the number of variables A usual technique for state variable number reduction: Turn state variables into free inputs (inputization) Less variables to substitute As many variables to  Our approach: abstract variables using a ternary-valued logic (0,1,d) Variables to be abstracted are replaced by the constant d (indifferent) Less variables to substitute Less variables to  Ternary-valued logic (0,1,d) :  dd  01d d d0dd  01d 001d 1111 dd1d vv0v0 v1v d = Abstracted variables are pre-quantified

20 Inputization and abstraction: example inputA, B; outputO; [ await A || await B ] ; emit O inputizationabstraction

21 Over-approximation Both inputization and abstraction weakens contraints between variables  Conservative over-approximation with respect to the RSS  "Snowball effect" Inputization maintains correlation between variable instances r   r  i   i = 0r   r  i   i = 1 Abstraction loses correlation between variable instances r   r  d   d = dr   r  d   d = d  Formal verif.: no erroneous validation, only erroneous refutations + -

22 Over-approximation Both inputization and abstraction weakens contraints between variables  Conservative over-approximation with respect to the RSS  "Snowball effect" Inputization maintains correlation between variable instances r   r  i   i = 0r   r  i   i = 1 Abstraction lose correlation between variable instances r   r  d   d = dr   r  d   d = d  Formal verif.: no erroneous validation, only erroneous refutations Additional source of over-approximation within the RSS computation when using a ternary-valued logic: set widening In practice, when over-approximation races out of control, erroneous refutations arise very quickly and computations stop +

23 The Esterel selection tree [ await I1 ; do something ; await I2 ; do something || await I3 ; do something ] ; await I4 ; do something #  # Allows to reduce over-approximation in two ways: Reinforcement of relations between inputs for inputized variables RSS ceiling

24 Our formal verifier: evcl Esterel Verification Command Line Main functionalities: Over-approximation reduction using structural informations White-box (integrated observers) / Black-box (external observers) … > lines of C++ (and > lines of shared libraries) Variable inputization and abstraction Experimentations: (Mirage fuel management system, A380 warning system) Abstraction can be up to 26 times faster than inputization When over-approximation races out of control, computations stop quickly  Nothing to lose in trying it!

25 Outline Introduction: Context of this work, the reactive synchronous approach, Esterel, automata and circuits, reachable state space computation, BDDs I – Pure implicit approach: A formal verifier offering variable inputization or abstraction II – Enumerative approach: A versatile engine for the exploration of reachable state spaces: Automaton generation Formal verification Exhaustive test sequence generation Conclusions and future prospects

26 Reachable state space computation approachstate analysis transition analysis pure implicit BDDs enumérative implicit explicit Several approaches to RSS computation: "Onion" representation, by depth level: Initial state States reachable in 1 tick States reachable in 2 ticks States reachable in 3 ticks …

27 Enumerative RSS computation A versatile engine for the exploration of reachable state spaces: States are individually analysed by propagating information within the circuit Pure explicit approach: Transitions analysed through recursive branchings on inputs Hybrid implicit/explicit approach: Transitions analysed through BDD propagations Automaton generation Transparent support for (constructive) cyclic circuits Several heuristics aiming at avoiding time or space explosion  Very good performances > lines of C++ (and > lines of shared libraries) Formal verification Exhaustive test sequence generation

28 Automaton generation Risk of explosion in both time and space A maximum of the control flow is computed at compilation time Usually a very efficient implementation Only data-dependent expressions remain to be evaluated at run time Central design representation in Esterel v1, v2, v3: automata Central design representation since Esterel v4: logical circuits Automaton generation has been neglected since v4: v4 generator had very bad performances Automata explicit numerous informations concerning designs Basically linear wrt source code in both generation time and storage space Advantages of automata remain! v4 generator could not handle cyclic circuits …

29 Automaton generation Enumerative approach practicaly unavoidable Pure explicit approach better than hybrid approach How to generate an automaton? Our automaton generator, scoc : By far more efficient than the v4 generator Integrated into the Esterel compiler since v5_91 (too much BDD cofactorisations are required) (for the respect of action causality) From now on marketed by Esterel Technologies Inc.

30 Application to formal verification Pure implicit approach unavoidable for most designs Pure implicit approach drawbacks: Behaviour difficult to foresee, risks of explosion Can only be applied to acyclic circuits Very sensitive to redundant registers Enumerative approach pros: Behaviour usually very steady Transparent support for cyclic circuits Non-sensitive to redundant registers or design depth Usually a lot much slower, can only be used in precise cases: Deep designs (SAT   ) Designs with numerous redundant registers (BDDs   )

31 Formal verification – experimentations Purely linear testbench (depth: 243; states: 243) Texas Instruments data bus (depth: 181; states: ) SAT (Prover) pure implicit approach pure explicit approach implicit / explicit approach no result after >3h39mn1.6s1.8s < 40 Mb8.5 Mbinsignifiant memory consumption SAT (Prover) pure implicit approach pure explicit approach implicit / explicit approach nothing after several hours 17mn:  (depth 9) 2h 33mn3h 09mn ???2 Gb104 Mb110 Mb

32 Generation of exhaustive test sequences Finite State Machine semantic model: Different coverage goals: State coverage Coverage of pathes leading to specific signals emission Transition coverage …  Generation of exhaustive tests sequences is feasible

33 Generation of exhaustive test sequences Esterel Technologies approach: pure implicit Standard RSS computation (except for transition coverage) Transitions are built by reverse image computations Coverage data updates  BDD updates Complete transition coverage not implemented Only connected state pairs are connected Enumerative approach is more suited and not sensitive to coverage goal Number of state variables is doubled

34 State coverage – Experimentations designstates implicit approach implicit / explicit approach ratio # sequ.time# sequ.time NDA  3.5 Arbiter1213cyclic10.03 NDA  3.5 Wristwatch  16 NDA  11 ATDS-100-C  36 Renault  39 Testbench243killed after >>1h13.16 TCINT  86 NDA  76 NDA  39

35 Conclusions A formal verification tool based on pure implicit approach: An engine for the exploration of reachable state spaces: Automaton generation Formal verification Variables can be replaced by free inputs Variables can be abstracted using a ternary-valued logic Over-approximation reduction using structural information White/Black box verification … Enumerative analysis of states Generation of exhaustive test sequences Explicit or implicit analysis of transitions Versatile:

36 Future prospects Implicit approach: Variable weighting heuristics of Quer/Cabodi et al. ? Automate the selection of variables to inputize/abstract Combine variable abstraction and RSS computation decomposition Enumerative approach: Compact the known state table State analysis prioritization (bug chasing) In case of excessive over-approximation, refine abstraction Counter-example analysis of Clarke/Grumberg et al. Cho/Govidaraju et al. approaches … Bitstate hashing of Holzmann, hash compaction of Stern/Dill et al. Yang/Dill et al. …

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.