Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Partitioning and Symbolic Model Checking FM 2005 Subramanian Iyer, UT-Austin Debashis Sahoo, Stanford E. Allen Emerson, UT-Austin Jawahar Jain, Fujitsu.

Published byVivien McCormick Modified over 9 years ago

Similar presentations

Presentation on theme: "On Partitioning and Symbolic Model Checking FM 2005 Subramanian Iyer, UT-Austin Debashis Sahoo, Stanford E. Allen Emerson, UT-Austin Jawahar Jain, Fujitsu."— Presentation transcript:

1 On Partitioning and Symbolic Model Checking FM 2005 Subramanian Iyer, UT-Austin Debashis Sahoo, Stanford E. Allen Emerson, UT-Austin Jawahar Jain, Fujitsu Labs

2 Outline Background The Partitioning Approach Model Checking The naïve algorithm An improved algorithm Experiments and Conclusion

3 Outline Background The Partitioning Approach Model Checking The naïve algorithm An improved algorithm Experiments and Conclusion

4 Sequential Verification Does Implementation fullfil its Specification? Model Checking: State Based Given: System under test Prove: properties given in a temporal logic (eg: CTL, LTL) Required for Model Checking: Input Data : Transition relation Generated : Reachable states, Forbidden states Procedures : Boolean Operations, Image Computation

5 Reachability Analysis S0S0   2n2n From=Reached=S 0 do{ To = Img(TR,From) New = To \ Reached Reached = Reached + To From = New }while(New  Ø ) Algorithm:Simple property:

6 Model Checking Hinges on Reachability Basic Operation: Pre-image In Simple terms Given “bad” formula f Compute reachable states Compute states satisfying f Pass if intersection is empty Key issues : State set generation and representation Extensional, as originally proposed. Symbolic, as now practiced

7 x y zz  y Ordered Binary Decision Diagrams BDDs with  read-once property  fixed Variable order The restrictions guarantee: +Canonicity +efficient Algorithms for Boolean Operations, Tautology, SAT and Equivalence check Disadvantage: -Blow-Up possible The minimizing problem: better BDD Types (?) Transformations (?) Variable- Reordering  Local Search: Sifting

8 Symbolic Model Checking Using BDDs to represent sets of states Key operation is image computation Using transition relation Necessary to succinctly represent the transition relation What is the problem?

9 The Bottleneck in Verification State-based verification, model checking Can be fully automated in principle Why not in practice? State space representation Symbolically manifests as “BDD blowup” Limits extent of automation Limits size of designs that can be handled Capacity is restricted by representation size Memory restricts time BDD based tools – crash or thrash So What can be done?

10 Outline Background The Partitioning Approach Model Checking The naïve algorithm An improved algorithm Experiments and Conclusion

11 Partitioned Transition Relation Represented as conjunction of k parts TR i Easy to construct for synchronous circuits Conjunction of “bitwise” TR i ’s – the transition function of each state variable Set of variables partitioned into k disjoint subsets Transition functions for variables in each subset are conjuncted together to give TR i TR is the implicit conjunction of TR i for i in 1 to k

12 Partitioned TR (Cont‘d) Basis of reachable states computation: Partitioned TR: TR j Cluster of ROBDDsMonolithic ROBDD

13 Image Computation The image computation step: Partitioned TR useful due to early quantification (AndExist): Choice and order of TR j ’s is crucial for a good performance! Img(TR,A)=  xn  TR n    x2  TR 2   x1  TR 1  A)  Img(TR,A)=  x  TR(x,y)  A(x))

14 Partitioned TR - Observations What is it that is partitioned? The set of variables The relation Actual TR is an implicit conjunction Sets of states always ROBDD During image computation Before and After image computation

15 So What? Sets of states as ROBDDs Can get very large TR parts repeatedly conjuncted During each image Made easier combined with quantification Still repeated expense Solution: Partition all state-sets

16 Partitioned ROBDD (POBDD) X f is its partitioned-ROBDD representation if, Given the Boolean Function where and are ROBDDs with variable ordering   and, Note that the ROBDDs in each partition may have a different variables ordering   Each w i is called a window function f w1w1 w2w2 w3w3 w4w4 ^ f1f1 ^ f2f2 ^ f3f3 ^ f4f4

17 A simple example f = c (a 1 b 1 + a 2 b 2 ) + c (a 1 a 2 + b 1 b 2 ) w 1 = c w 2 = c f 1 = c (a 1 b 1 + a 2 b 2 ) f 2 = c (a 1 a 2 + b 1 b 2 ) c a1a1a1a1 0 1   f1f1f1f1 b1b1b1b1 a2a2a2a2 b2b2b2b2  1 : c, a 1, b 1, a 2, b 2 c a1a1a1a1 0 1   f2f2f2f2 a2a2a2a2 b1b1b1b1 b2b2b2b2  2 : c, a 1, a 2, b 1, b 2

18 On Using Partitioning Sets of states disjunctively partitioned Key : Use same partitioning windows In particular, set of reachable states Induces disjunctive partitioning on TR TR is a Relation on state pairs: Quadratic Notice each such TR ij can further be Monolithic, Disjunctive, or Conjunctive Image computation Must consider to and from set in each partition

19 Reachability Revisited From=Reached=S 0 do{ To = Img(TR,From) New = To \ Reached Reached += To From = New }while(New  Ø ) Old Algorithm: Notice that From is now partitioned TR applied to From i of partition i, result To i is also partitioned So To i j is owned by partition j Must be given to j. Quadratic such transfers!

20 Image and Reachability Fix point computations performed On each partition locally Using TR ii Use reachability algorithm on ROBDDs Synchronization between partitions Cross-over images finds states use TR ij,. Must keep it infrequent Postponed till local fixpoint reached

21 Reachability Example: Initial set Event Queue 13 I 1 (x) w2w2 w3w3 w4w4 w1w1 I 3 (x)

22 Local Fix Point T 11 w2w2 w3w3 w4w4 w1w1 I 1 (x) I 3 (x) Event Queue 3

23 Cross-over images Event Queue 34 R1R1 T 14 T 12 T 13 w2w2 w3w3 w4w4 w1w1 I 3 (x)

24 Another Local Fix point Event Queue 4 R1R1 w2w2 w3w3 w4w4 w1w1 T 33 I 3 (x)

25 More Cross over images R1R1 w2w2 w3w3 w4w4 w1w1 R3R3 T 32 T 31 T 34 Event Queue 241

26 Example, cont. R1R1 w2w2 w3w3 w1w1 R3R3 Event Queue 2 1 w4w4 T 44

27 Outline Background The Partitioning Approach Model Checking The naïve algorithm An improved algorithm Experiments and Conclusion

28 CTL : temporal properties EX(f), E(fUg), EG(f) form a basis set Invariant Checking AGp Absence of Deadlock Return to reset state AGEF(s 0 ) Temporal Implication AG(p  EF q) Liveness EGp, AFp

29 Outline Background The Partitioning Approach Model Checking The naïve algorithm An improved algorithm Experiments and Conclusion

30 Image Computation EXp forall (partitions j) forall (partitions k) PreImg_jk(s) = ∃ s′,i[TR jk (s, s′, i) ∧ p k (s′)] reorder BDD PreImg jk from part order k to j end for S j = ∨ k PreImg jk end for output S

31 Least Fix Point E(pUq) S := q, S.old := NULL repeat S.old := S temp := computeEX(S) forall (partitions j) S j := q j ∨ (p j ∧ temp j ) end for until(S = S.old) output S

32 Greatest Fix Point EGp S := p repeat S.old := S temp := computeEX(S) forall (partitions j) S j := p j ∧ temp j end for until(S = S.old) output S

33 What’s the problem? Image computation has two parts Transitions local to a partition (i=j) Transitions Crossing over partitions (i<>j) Cross-over images are expensive! Get BDDs, maybe from disk Store BDDs, maybe over network Reorder large BDDs The classical algorithm does one set of cross-over image during each EX.

34 Outline Background The Partitioning Approach Model Checking The naïve algorithm An improved algorithm Experiments and Conclusion

35 Least Fix Point E(pUq) S := q, S.old := NULL repeat S.old := S forall (partitions j) repeat S j.old := S j S j := S j ∨ (p j ∧ EX l (S j, j)) … under-approximate until(S j = S j.old) end for S := S ∨ (p ∧ EX c (S)) … add missing states until(S = S.old) output S

36 Greatest Fix Point EGp S := p Border := p ∧ EX c (S) … candidate set repeat S.old := S forall (partitions j) repeat S j.old := S j S j := p j ∧ (EX l (S j, j) ∨ Border j ) … over-approx until(S j == S j.old) end for Border := p ∧ EX c (S) … prune states until(S == S.old) output S

37 Outline Background The Partitioning Approach Model Checking The naïve algorithm An improved algorithm Experiments and Conclusion

38 VIS Verilog benchmarks Ckt#C/O Old #C/O New C/O Time old C/O Time new Total M/C time old Total M/C time new S126988671931 Soap 535592171428 Ghg93676166.1528027 Sppint16641242 Gcd15719.769108

39 Conclusions Assuming a model where cross-over images are very expensive, the proposed algorithm: Is no worse than the classical algorithm Converges faster, empirically, in terms of Number of cross-over images Time spent in cross-over images Reduces total model checking time Often quite significantly Is good for parallel model checking

Download ppt "On Partitioning and Symbolic Model Checking FM 2005 Subramanian Iyer, UT-Austin Debashis Sahoo, Stanford E. Allen Emerson, UT-Austin Jawahar Jain, Fujitsu."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Conclusion Summary Research trends Resources.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Conclusion Summary Research trends Resources.
Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
CS357 Lecture: BDD basics David Dill 1. 2 BDDs (Boolean/binary decision diagrams) BDDs are a very successful representation for Boolean functions. A BDD.

CS357 Lecture: BDD basics David Dill 1. 2 BDDs (Boolean/binary decision diagrams) BDDs are a very successful representation for Boolean functions. A BDD.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
ECE 667 - Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.

ECE Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
Syntax-driven partitioning for model-checking of Esterel programs Eric Vecchié - INRIA Aoste.

Syntax-driven partitioning for model-checking of Esterel programs Eric Vecchié - INRIA Aoste.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.

CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
CS 267: Automated Verification Lectures 4:  -calculus Instructor: Tevfik Bultan.

CS 267: Automated Verification Lectures 4:  -calculus Instructor: Tevfik Bultan.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Similar presentations

Ads by Google