Binary Decision Diagramsand

Symbolic Model Checking

Binary Decision DiagramsBinary Decision Diagramsandand

Symbolic Model CheckingSymbolic Model Checking

Randy Bryant CMUEd Clarke CMUKen McMillan CadenceAllen Emerson U Texas

http://www.cs.cmu.edu/~bryant

– 2 –

Binary Decision DiagramsBinary Decision Diagrams

Restricted Form of Branching ProgramRestricted Form of Branching ProgramGraph representation of Boolean functionCanonical formSimple algorithms to construct & manipulate

Application NicheApplication NicheProblems expressed as Quantified Boolean FormulasA lot of interesting problems are in PSPACE

Symbolic Model CheckingSymbolic Model CheckingProve properties about large-scale, finite-state systemSuccessfully used to verify hardware systems

– 3 –

Boolean Function as LanguageBoolean Function as Language

Truth Table Language

View n-variable Boolean function as language ⊆ {0,1}n

Reduced DFA is canonical representation

00001111

00110011

01010101

00010101

x1 x2 x3 f

DFA

0 1

1 0,1

1

{ 011,101,111 }

– 4 –

From DFA to OBDDFrom DFA to OBDD

0 1

1 0,1

1

x1

x2 x2

x3

1

x1

x2

x3

1

x1

x2

x3

10

Canonical representation of Boolean functionCanonical representation of Boolean functionTwo functions equivalent if and only if graphs isomorphicDesirable property: simplest form is canonical.

– 5 –

Representing Circuit FunctionsRepresenting Circuit Functions

b3 b3

a3

Cout

b3

b2 b2

a2

b2 b2

a2

b3

a3

S3

b2

b1 b1

a1

b1 b1

a1

b2

a2

S2

b1

a0 a0

b1

a1

S1

b0

10

b0

a0

S0

FunctionsFunctionsAll outputs of 4-bit adderFunctions of data inputs

A

B

Cout

SADD

Shared RepresentationShared RepresentationGraph with multiple roots31 nodes for 4-bit adder571 nodes for 64-bit adderLinear growth

– 6 –

Effect of Variable OrderingEffect of Variable Ordering

Good Ordering

Linear Growth

0

b3

a3

b2

a2

1

b1

a1

)()()( 332211 bababa ∧∨∧∨∧

Bad Ordering

Exponential Growth

a3 a3

a2

b1 b1

a3

b2

b1

0

b3

b2

1

b1

a3

a2

a1

– 7 –

Sample Function ClassesSample Function ClassesFunction Class Best Worst Ordering SensitivityALU (Add/Sub) linear exponential HighSymmetric linear quadratic NoneMultiplication exponential exponential Low

General ExperienceGeneral ExperienceMany tasks have reasonable OBDD representationsAlgorithms remain practical for up to 500,000 node OBDDsHeuristic ordering methods generally satisfactory

– 8 –

Symbolic Manipulation with OBDDsSymbolic Manipulation with OBDDs

StrategyStrategyRepresent data as set of OBDDs

Identical variable orderingsExpress solution method as sequence of symbolic operations

Sequence of constructor & query operationsSimilar style to on-line algorithm

Implement each operation by OBDD manipulationDo all the work in the constructor operations

Key Algorithmic PropertiesKey Algorithmic PropertiesArguments are OBDDs with identical variable orderingsResult is OBDD with same orderingEach step polynomial complexity

– 9 –

If-Then-Else OperationIf-Then-Else Operation

Arguments Arguments II, , TT, , EEFunctions over variables XRepresented as OBDDs

ResultResultOBDD representing composite function(I ∧T) ∨ (¬I ∧ E)

MUX1

0

I → T, E

X

I

T

E

ConceptConceptBasic technique for building OBDD from logic network or formula.

– 10 –

0 1

d

c

a

B3 B4

B2

B5

B1

A4,B3 A5,B4

A3,B2

A6,B2

A2,B2

A3,B4A5,B2

A6,B5

A1,B1

Recursive CallsArgument I1

Argument T

b

0

d

1

c

a

A4 A5

A3

A2

A6

A1

If-Then-Else Execution ExampleIf-Then-Else Execution ExampleArgument E

OptimizationsOptimizationsDynamic programmingEarly termination rules

– 11 –

With Reduction

C2

C4

C5

C3

C6

C1 0

d

c

b

1

a

0 1

d

c

b

11

c

a

A4,B3 A5,B4

A3,B2

A6,B2

A2,B2

A3,B4A5,B2

A6,B5

A1,B1

If-Then-Else Result GenerationIf-Then-Else Result Generation

Recursive Calls Without Reduction

Recursive calling structure implicitly defines unreduced BDDApply reduction rules bottom-up as return from recursive calls

– 12 –

Restriction OperationRestriction OperationConceptConcept

Effect of setting function argument xi to constant k (0 or 1).Also called Cofactor operation (UCB)

Fx equivalent to F [x = 1]Fx equivalent to F [x = 0]

k F xi –1

xi +1

xn

x1

F [xi =k]

– 13 –

Restriction Execution ExampleRestriction Execution Example

Argument F

0

c

d

1

Reduced Result

0

a

c

d

1

Restriction F[b=1]

0

a

b

c

d

1

– 14 –

Derived Algebraic OperationsDerived Algebraic OperationsOther operations can be expressed in terms of If-Then-Else

And(F, G)

MUX1

0

F → G, 0

X

F

G

0

If-Then-Else(F, G, 0)

XF

G

MUX1

0

F → 1, G

X

F

G

1

If-Then-Else(F, 1, G)

XF

G

Or(F, G)

– 15 –

Generating OBDD from NetworkGenerating OBDD from NetworkTask: Represent output functions of gate network as OBDDs.

Network EvaluationA A ←← new_new_varvar ("a");("a");BB ←← new_new_varvar ("b");("b");C C ←← new_new_varvar ("c");("c");T1 T1 ←← And (A, 0, B);And (A, 0, B);T2 T2 ←← And (B, C);And (B, C);OutOut ←← Or (T1, T2);

A

B

C

T1

T2

Out

Or (T1, T2);

Resulting GraphsA B C

T1 T2

Out

0 1

a

0 1

c

0 1

b

0 1

b

a

0 1

c

b

c

b

0 1

b

a

– 16 –

Functional CompositionFunctional Composition

G F xi –1

xi +1

xn

x1

x1

xn F [xi =G]

x1

xn xi –1

xi +1

xn

x1

xi –1

xi +1

xn

x1

1 F

0 F

MUX1

0

G

Create new function by composing functions F and G.Useful for composing hierarchical modules.

– 17 –

Variable QuantificationVariable Quantification

1 F

0 F

xi –1

xi +1

xn

x1

xi –1

xi +1

xn

x1

xi –1

xi +1

xn

x1

F∃ ∃ xi F

Eliminate dependency on some argument through quantificationCombine with AND for universal quantification.

– 18 –

Finite State System AnalysisFinite State System Analysis

Systems Represented as Finite State MachinesSystems Represented as Finite State MachinesSequential circuitsCommunication protocolsSynchronization programs

Analysis TasksAnalysis TasksState reachabilityState machine comparisonTemporal logic model checking

Traditional Methods Impractical for Large MachinesTraditional Methods Impractical for Large MachinesPolynomial in number of statesNumber of states exponential in number of state variables.Example: single 32-bit register has 4,294,967,296 states!

– 19 –

Temporal Logic Model CheckingTemporal Logic Model Checking

Verify Reactive SystemsVerify Reactive SystemsConstruct state machine representation of reactive system

Nondeterminism expresses range of possible behaviors“Product” of component state machines

Express desired behavior as formula in temporal logicDetermine whether or not property holds

Traffic LightController

Design

Traffic LightController

DesignTrue

ModelChecker“It is never possible

to have a green light for both N-S and E-W.”

False+ Counterexample

– 20 –

Characteristic FunctionsCharacteristic Functions

A0 /1

A

B

UnionA

B

Intersection

ConceptConceptA ⊆ {0,1}n

Set of bit vectors of length nRepresent set A as Boolean function A of n variables

X ∈ A if and only if A(X ) = 1

Set Operations

– 21 –

Symbolic FSM RepresentationSymbolic FSM Representation

Symbolic RepresentationNondeterministic FSM

00

10

01

11 o2

o1

1

n2

0

n1

o2

o1,o2 encodedold state

n1, n2 encodednew state

Represent set of transitions as function δ(Old, New)Yields 1 if can have transition from state Old to state New

Represent as Boolean functionOver variables encoding states

– 22 –

Reachability AnalysisReachability AnalysisTaskTask

Compute set of states reachable from initial state Q0

Represent as Boolean function R(S)Never enumerate states explicitly

ComputeGiven

δold state

new stateRstate 0/10/1

InitialR0

=

Q0

– 23 –

Breadth-First Reachability AnalysisBreadth-First Reachability Analysis

00

10

01

11

R0

00

R1R0

00 01

R2R1R0

00 01 10

R3R2R1R0

00 01 10

Ri – set of states that can be reached in i transitionsReach fixed point when Rn = Rn+1

Guaranteed since finite state

– 24 –

Iterative ComputationIterative Computation

Ri

δ

Ri

∃

Ri +1

old

new

Ri +1 – set of states that can be reached i +1 transitionsEither in Ri

or single transition away from some element of Ri

– 25 –

Symbolic FSM Analysis ExampleSymbolic FSM Analysis ExampleK. McMillan, E. Clarke (CMU) J. Schwalbe (Encore Computer)

EncoreEncore GigamaxGigamax Cache SystemCache SystemDistributed memory multiprocessorCache system to improve access timeComplex hardware and synchronization protocol.

VerificationVerificationCreate “simplified” finite state model of system (109 states!)Verify properties about set of reachable states

Bug DetectedBug DetectedSequence of 13 bus events leading to deadlockWith random simulations, would require ≈2 years to generate failing case.In real system, would yield MTBF < 1 day.

– 26 –

System Modeling ExampleSystem Modeling Example

Gigamax MemorySystem

Simplifying Simplifying AbstractionsAbstractions

Single word cacheSingle bit/wordAbstract other clustersImprecise timing

InterfaceCluster #2

AbstractionCluster #3

Abstraction

Interface

Mem. CacheControl.

CacheControl.

Global Bus

Cluster #1 Bus

Proc. Proc.

Arbitrary reads & writes

– 27 –

Commercial Applications of Symbolic Model CheckingCommercial Applications of Symbolic Model CheckingSeveral Commercial ToolsSeveral Commercial Tools

Difficult training and customer support

Most Large Companies Have InMost Large Companies Have In--House VersionsHouse VersionsIBM, Lucent, Intel, Motorola, SGI, Fujitsu, Siemens, …Many based on McMillan’s SMV program

Requires SophisticationRequires SophisticationBeyond that of mainstream designers

– 28 –

Application ChallengeApplication Challenge

ChallengingSystems to Design

Model checkingCapacity

SystemSize

Degree of Concurrency

Cannot Apply Directly to Full Scale DesignCannot Apply Directly to Full Scale DesignVerify smaller subsystemsVerify abstracted versions of full system

Must understand system & tool to do effectively

– 29 –

Real World IssuesReal World Issues

Still Too VolatileStill Too VolatileFail by running out of spaceUseless once exceed physical memory capacity

Ongoing Research to Improve Memory PerformanceOngoing Research to Improve Memory PerformanceDynamic variable orderingExploiting modularity of system model

Partitioned transition relationsExploiting parallelism

Map onto multiple machinesDifficult program for parallel computation

» Dynamic, irregular data structures

– 30 –

Dynamic Variable ReorderingDynamic Variable Reordering

Richard Rudell, Synopsys

Periodically Attempt to Improve Ordering for All BDDsPeriodically Attempt to Improve Ordering for All BDDsPart of garbage collectionMove each variable through ordering to find its best location

Has Proved Very SuccessfulHas Proved Very SuccessfulTime consuming but effectiveEspecially for sequential circuit analysis

– 31 –

Dynamic Reordering By SiftingDynamic Reordering By Sifting

a3

b2 b2

a3

a2

a3

b1

b2

0

b3

b1

1

b2

a3

a2

a1

a3

b2

b3

b2

a3

a2

a3

b2

0

b1

b3

1

b2

a3

a2

a1

a2

a3

b1

b2

0

b3

b2

a3

1

b1

a2

a1

a3

b2

0

b3

b2

a3

a2

1

b1

a1

a3 a3

a2

b1 b1

a3

b2

b1

0

b3

b2

1

b1

a3

a2

a1

• • •a3

b2

0

b3

b2

a3

a2

1

a1

b1

BestChoices

Choose candidate variableTry all positions in variable ordering

Repeatedly swap with adjacent variableMove to best position found

– 32 –

Swapping Adjacent VariablesSwapping Adjacent Variables

Localized EffectLocalized EffectAdd / delete / alter only nodes labeled by swapping variablesDo not change any incoming pointers

b1 b1

b2b2 b2b2

e f g h

i jb1 b1

b2

b1

b2

b1

e f

g h i j

– 33 –

Tuning of BDD PackagesTuning of BDD Packages

Cooperative EffortCooperative EffortBwolen Yang, in cooperation with researchers from Colorado, Synopsys, CMU, and T.U. EindhovenMeasure & improve performance of BDDs for symbolic model checking

MethodologyMethodologyGenerated set of benchmark tracesRun 6 different packages on same machineCompare results and share findings

Cooperative competition

– 34 –

Effect of OptimizationsEffect of Optimizations

Compare preCompare pre-- vs. postvs. post--optimized results for 96 runsoptimized results for 96 runs6 different BDD packages16 benchmark traces eachLimit each run to maximum of 8 CPU hours and 900 MBMeasure speedup = Told / Tnew or:

New: Failed before but now succeedsFail: Fail both timesBad: Succeeded before, but now fails

– 35 –

Optimization Results SummaryOptimization Results Summary

Cumulative Speedup Histogram

22

33

61

75 76 76

136

16

0

10

20

30

40

50

60

70

80

>100 >5 >1 >0

speedups

# of

cas

es

>10 >2

>0.9

5

new

bad

faile

d

– 36 –

What’s Good about OBDDsWhat’s Good about OBDDsPowerful OperationsPowerful Operations

Creating, manipulating, testingEach step polynomial complexity

Graceful degradation

Generally Stay Small EnoughGenerally Stay Small EnoughEspecially for digital circuit applicationsGiven good choice of variable ordering

Weak CompetitionWeak CompetitionNo other method comes close in overall strengthEspecially with quantification operations

– 37 –

Thoughts on Algorithms ResearchThoughts on Algorithms Research

Need to be Willing to Attack Intractable ProblemsNeed to be Willing to Attack Intractable ProblemsMany real-world problems NP-hardNo approximations for verification

Who Works on These?Who Works on These?Mostly people in application domain

Most work on BDDs in computer-aided design conferencesNot by people with greatest talent in algorithms

No papers in STOC/FOCS/SODAProbably many ways they could improve things

Fundamental dilemmaCan only make weak formal statements about efficiencyUtility demonstrated empirically