on partitioning and symbolic model checking fm 2005

On Partitioning and Symbolic Model Checking

FM 2005

Subramanian Iyer, UT-AustinDebashis Sahoo, Stanford

E. Allen Emerson, UT-AustinJawahar Jain, Fujitsu Labs

Outline

Background The Partitioning Approach Model Checking

The naïve algorithm An improved algorithm

Experiments and Conclusion

Sequential Verification Does Implementation fullfil its Specification? Model Checking:

State Based Given: System under test Prove: properties given in a temporal logic (eg: CTL,

LTL)

Required for Model Checking: Input Data : Transition relation Generated : Reachable states, Forbidden states Procedures : Boolean Operations, Image

Computation

Reachability Analysis

S0

2n

From=Reached=S0

do{ To = Img(TR,From) New = To \ Reached Reached = Reached + To From = New}while(New Ø )

Algorithm: Simple property:

Model Checking Hinges on Reachability

Basic Operation: Pre-image

In Simple terms Given “bad” formula f Compute reachable states Compute states satisfying f Pass if intersection is empty

Key issues : State set generation and representation

Extensional, as originally proposed. Symbolic, as now practiced

x

y

z z

y

lowhigh fxfxf

highflowf

Ordered Binary Decision Diagrams

• BDDs with read-once property fixed Variable order

• The restrictions guarantee: + Canonicity+ efficient Algorithms for

Boolean Operations, Tautology, SAT and Equivalence check

• Disadvantage:- Blow-Up possible

• The minimizing problem:• better BDD Types (?)• Transformations (?)• Variable- Reordering

Local Search: Sifting

Symbolic Model Checking Using BDDs to represent sets of

states

Key operation is image computation Using transition relation Necessary to succinctly represent the

transition relationWhat is the problem?

The Bottleneck in VerificationState-based verification, model checking Can be fully automated in principle Why not in practice? State space representation

Symbolically manifests as “BDD blowup” Limits extent of automation Limits size of designs that can be handled

Capacity is restricted by representation size Memory restricts time BDD based tools – crash or thrash

So What can be done?

Outline




Partitioned Transition Relation Represented as conjunction of k parts TRi

Easy to construct for synchronous circuits Conjunction of “bitwise” TRi’s – the

transition function of each state variable Set of variables partitioned into k disjoint

subsets Transition functions for variables in each subset

are conjuncted together to give TRi

TR is the implicit conjunction of TRi for i in 1 to k

Partitioned TR (Cont‘d) Basis of reachable states

computation:

Partitioned TR:

)iii

i y)(x(δ y)TR(x,

J

jTR y)TR(x,

TRj

Cluster of ROBDDs Monolithic ROBDD

iiJi

ij y)(x(δ y)(x,TR

Image Computation The image computation step:

Partitioned TR useful due to early quantification (AndExist):

Choice and order of TRj’s is crucial

for a good performance!

Img(TR,A)= xnTRn x2TR2 x1TR1 A)

Img(TR,A)= xTR(x,y) A(x))

Partitioned TR - Observations What is it that is partitioned?

The set of variables The relation

Actual TR is an implicit conjunction Sets of states always ROBDD

During image computation Before and After image computation

So What? Sets of states as ROBDDs

Can get very large TR parts repeatedly conjuncted

During each image Made easier combined with

quantification Still repeated expense

Solution: Partition all state-sets

Partitioned ROBDD (POBDD)

121

k

www )(,0 jijwiw

fiwif ˆ

Xf is its partitioned-ROBDD representation if,

Given the Boolean Function BnBf :

)}ˆ,(,)2

ˆ,2

(),1ˆ,

1{(

kf

kwfwfw

fX

where

BnBiw : BnBif :ˆand

are ROBDDs with variable ordering and,

Note that the ROBDDs in each partition may have a different variables ordering

Each wi is called a window function

f

w1w2

w3w4

f̂1 f̂2

f̂3

f̂4

A simple example

f = c (a1b1 + a2b2) + c (a1a2 + b1b2 )

w1 = c

w2 = c

f1 = c (a1b1 + a2b2)

f2 = c (a1a2 + b1b2 )cc

aa11

00 11

ff11

bb11

aa22

bb22

1 1 : c, : c, aa1, 1, bb1, 1, aa2, 2, bb22

cc

aa11

00 11

ff22

aa22

bb11

bb22

2 2 : c, : c, aa1, 1, aa2, 2, bb1, 1, bb22

On Using Partitioning

Sets of states disjunctively partitioned Key : Use same partitioning windows In particular, set of reachable states

Induces disjunctive partitioning on TR TR is a Relation on state pairs: Quadratic

Notice each such TRij can further be Monolithic, Disjunctive, or Conjunctive

Image computation Must consider to and from set in each

partition

Reachability Revisited

From=Reached=S0

do{ To = Img(TR,From) New = To \ Reached Reached += To From = New}while(New Ø )

Old Algorithm:Notice that From is now partitioned

TR applied to Fromi of partition i,

result Toi is also partitioned

So Toij is owned by partition j

Must be given to j.

Quadratic such transfers!

Image and Reachability

Fix point computations performed On each partition locally Using TRii

Use reachability algorithm on ROBDDs Synchronization between partitions

Cross-over images finds states use TRij , .

Must keep it infrequent Postponed till local fixpoint reached

ji

Reachability Example: Initial set

Event Queue 1 3

I1(x)

w2

w3w4

w1

I3(x)

Local Fix Point

T11

w2

w3w4

w1

I1(x)

I3(x)

Event Queue 3

Cross-over images

Event Queue 3 4

R1

T14

T12

T13

w2

w3w4

w1

I3(x)

Another Local Fix point

Event Queue 4

R1

w2

w3w4

w1

T33I3(x)

More Cross over images

R1

w2

w3w4

w1

R3

T32

T31

T34

Event Queue 24 1

Example, cont.

R1

w2

w3

w1

R3

Event Queue 2 1

w4T44

Outline




CTL : temporal properties EX(f), E(fUg), EG(f) form a basis set

Invariant Checking AGp Absence of Deadlock

Return to reset state AGEF(s0)

Temporal Implication AG(p EF q) Liveness EGp, AFp

Outline




Image Computation EXp forall (partitions j)

forall (partitions k) PreImg_jk(s) = ∃s′,i[TRjk(s, s′, i) ∧ pk(s′)] reorder BDD PreImgjk from part order k to j

end for Sj = ∨k PreImgjk

end for output S

Least Fix Point E(pUq) S := q , S.old := NULL repeat

S.old := S temp := computeEX(S) forall (partitions j)

Sj := qj ∨ (pj ∧ tempj)

end for

until(S = S.old) output S

Greatest Fix Point EGp S := p repeat

S.old := S temp := computeEX(S) forall (partitions j)

Sj := pj ∧ tempj

end for


What’s the problem? Image computation has two parts

Transitions local to a partition (i=j) Transitions Crossing over partitions (i<>j)

Cross-over images are expensive! Get BDDs, maybe from disk Store BDDs, maybe over network Reorder large BDDs

The classical algorithm does one set of cross-over image during each EX.

Outline




Least Fix Point E(pUq) S := q, S.old := NULL repeat

S.old := S forall (partitions j)

repeat Sj .old := Sj

Sj := Sj ∨ (pj ∧ EXl(Sj , j)) … under-approximate

until(Sj = Sj .old)

end for S := S ∨ (p ∧ EXc(S)) … add missing

states


Greatest Fix Point EGp S := p Border := p ∧ EXc(S) … candidate set repeat

S.old := S forall (partitions j)

repeat Sj .old := Sj

Sj := pj ∧ (EXl(Sj , j) ∨ Borderj) … over-approx until(Sj == Sj .old)

end for Border := p ∧ EXc(S) … prune

states

until(S == S.old) output S

Outline




VIS Verilog benchmarksCkt #C/

O Old

#C/O New

C/O Time old

C/O Time new

Total M/C time old

Total M/C time new

S1269 8 8 67 1 93 1

Soap 53 5 592 1 714 28

Ghg 9367 6 166 .15 280 27

Sppint 16 6 4 1 24 2

Gcd 15 7 19 .7 69 108

Conclusions

Assuming a model where cross-over images are very expensive, the proposed algorithm: Is no worse than the classical algorithm Converges faster, empirically, in terms of

Number of cross-over images Time spent in cross-over images

Reduces total model checking time Often quite significantly

Is good for parallel model checking

on partitioning and symbolic model checking fm 2005

Documents

partitioned tr useful

model checkinghinges

model checkingcan

transition relationgenerated

image computationso

symbolic model checkingfm

transition relationwhat

state basedgiven