Download presentation
Presentation is loading. Please wait.
1
Optimizing Symbolic Model Checking for Constraint-Rich Systems Randal E. Bryant Bwolen Yang, Reid Simmons, David R. O’Hallaron Carnegie Mellon University
2
2 NASA’s Deep Space One (DS1) Spacecraft fault diagnosis model qualitatively describes spacecraft’s behavior
3
3 Autonomous Spacecraft NASA DS1’s Fault Diagnosis Model Fault Diagnosis Model á component’s interconnections (thrusters, motors, valves…) á component’s state: mode (thruster’s force: low / nominal / high) Also in Robot Explorer ( Nomad: Antarctic meteorite explorer) Livingstone Diagnostic Engine [William & Nayak ’96] Sensor Data Fault Diagnosis Model consistent?
4
4 Verification of DS1’s Fault Diagnosis Model [Simmons, CMU] Automatically Translated to SMV Model Checker á state transition == component’s mode changes á time-invariant constraints »sensor values and modes »interconnection between components á automatic translation ==> little / no manual optimization »vs. models built from scratch by verification experts
5
5 Verification of DS1’s Fault Diagnosis Model Challenge Failed due to Large Number of State Variables á 600-1200 state bits »model checker’s capacity: ~ a few hundred state bits Observation á dominated by time-invariant constraints
6
6 Time-Invariant Constraints Example 1 Establish Interface component 2 in min(out, c) == in component 1 out c: capacity of the pipe “in” is redundant
7
7 Time-Invariant Constraints Example 2 Use of Generic Parts (both software / hardware) á specific use ==> constraints bi-directional specialize component 2 in component 1 out redundant components! e.g., valves always set to the same direction
8
8 Time-Invariant Constraints Observation 1 (Example 1 + 2) Many Unnecessary State Variables (macros) á Establish Interface in := min(out, c) á Specific Use of Generic Parts valve-direction := some constant (after inlining the module)
9
9 Time-Invariant Constraints Example 3 Indirection (based on the specification) transition relation next(bus.state) := complex expression f invariant constraints device1.output1 := switch (bus.state) … device1.output2 := switch (bus.state) …
10
10 Time-Invariant Constraints Example 4 Consistent Non-Deterministic Choices invariant constraint cmd := expression f with non-determinism (due to incomplete specification or abstraction) transition relations next(device1.output1) := switch (cmd) … next(device1.output2) := switch (cmd) …
11
11 Time-Invariant Constraints Observation 2 (Example 3 + 4) Variables w/ Constraints Used in Current State Only á Indirection device1.output1 := switch (bus.state) … device1.output2 := switch (bus.state) … á Consistent Non-Deterministic Choices cmd := expression f with non-determinism (due to incomplete specification or abstraction) ==> Corresponding Next-State BDD Variables NOT Used early quantification in pre-image computation »pre-image quantifies out next-state variables
12
12 Time-Invariant Constraints Example 5 Conditional Assignments (tank == non-empty) => (out-pressure.sign := positive) & (out-pressure.relative := nominal) Note á occurs for interface and indirection á mostly simple (as above), but sometimes quite complicated »p1 => ((p2 => (a := …)) & (p3 => (b := …)) »most complicated expression has > 10,000 characters
13
13 Time-Invariant Constraints Observation 3 (Example 5) Combining Time-Invariant ==> Macros p1 => (a := …) p2 => (a := …) p3 => (a := …) … ==> a := some deterministic expression complex expressions ==> syntactic analysis is insufficient
14
14 Time-Invariant Constraints á arise from modeling á may have lots of redundant state bits Our Solutions á remove redundant state variables »identify macros: assignment-extraction algorithm »select macros: BDD characteristics á partition (conjunctive partitioning) remaining constraints »apply an improved version of [Ranjan et al. ’95] algorithm Optimizations for Constraint-Rich Models
15
15 Related Work [Berthet, et al. ’90] [Lin & Newton ’91] [Hu & Dill ’93] [Eijk & Jess ’96] [Sentovich, et al. ’96] Problems á require constraints to be combined first á removal is not always beneficial Redundant State-Variable Removal Problem Statement c ? v == g if so, v is redundant replace v with g Given invariant constraint c and state variable v, Question
16
16 Redundant State-Variable Removal Our Approach: Assignment Extraction Algorithm cici v G i non-deterministic assignment If G i = { g i }, we have v == g i
17
17 Redundant State-Variable Removal Partitioned Constraints c1c1 v G 1 use graph sizes to determine the “goodness” of g v == g ? c2c2 v G 2 cncn v G n
18
18 Target To Construct a Solution for G i for all k K v where K v is the set of possible values of v c i ==> (v G i ) Redundant State-Variable Removal Assignment Extraction Algorithm (Core Idea) c i | v=k ==> (k G i ) [substitute v with k] G i = U ( if c i | v=k then { k } else { } ) k K v
19
19 image(S) = V. T (S C) = V W . T [ W. (S C) ] where T does not depend on variables in W. á many variables used only in time-invariant constraint Represent C as Conjunctive Partition á C 1 C 2 … C m á monolithic BDD is too large to build Conjunctive Partitioning of Time-Invariant Constraints
20
20 Optimizations for Constraint-Rich Models Overall Impact time (sec)
21
21 á BDD-Based Macro Optimization Early-Quantification of W for V. T [ W. (S C) ] without and with macro optimization Performance Breakdown
22
22 Effects of BDD-Based Macro ( No Early Quantification) time (sec)
23
23 Effects of BDD-Based Macro: Causes % bdd vars removed
24
24 BDD-Based Macro Optimization á Early-Quantification of W for V. T [ W. (S C) ] without and with macro optimization Performance Breakdown
25
25 Effects of Early Quantification ( No Macro Optimization) time (sec)
26
26 Effects of Early Quantification: Causes ( No Macro Optimization) % bdd vars extracted Maximum achievable = 50%
27
27 Effects of Early Quantification ( With Macro Optimization) time (sec)
28
28 Summary & Future Work Optimizations for Constraint-Rich Models á Enabled verification for DS1’s fault diagnosis model »159 specs within 1 min á Typical of effort required to deal with models generated automatically from modular description BDD Algorithms for Compiler-Type Analysis á Assignment-Extraction Algorithm »cone-of-influence analysis: exact dependence information
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.