Optimizing Symbolic Model Checking

for Constraint-Rich Systems

Randal E. Bryant

Bwolen Yang, Reid Simmons, David R. O’Hallaron

Carnegie Mellon University

2

NASA’s Deep Space One (DS1) Spacecraft

fault diagnosis modelqualitatively describesspacecraft’s behavior

3

Autonomous SpacecraftNASA DS1’s Fault Diagnosis Model

Fault Diagnosis Model component’s interconnections (thrusters, motors, valves…)

component’s state: mode (thruster’s force: low / nominal / high)

Also in Robot Explorer (Nomad: Antarctic meteorite explorer)

Livingstone Diagnostic Engine[William & Nayak ’96]

SensorData

FaultDiagnosis

Model

consistent?

4

Verification of DS1’s Fault Diagnosis Model[Simmons, CMU]

Automatically Translated to SMV Model Checker state transition == component’s mode changes time-invariant constraints

» sensor values and modes» interconnection between components

automatic translation ==> little / no manual optimization» vs. models built from scratch by verification experts

5

Verification of DS1’s Fault Diagnosis ModelChallenge

Failed due to Large Number of State Variables 600-1200 state bits

» model checker’s capacity: ~ a few hundred state bits

Observation dominated by time-invariant constraints

6

Time-Invariant ConstraintsExample 1

Establish Interface

component 2in

min(out, c) == incomponent 1out

c: capacity of the pipe

“in” is redundant

7

Time-Invariant ConstraintsExample 2

Use of Generic Parts (both software / hardware) specific use ==> constraints

bi-directional

specialize

component 2in

component 1out

redundant components!e.g., valves always set to the same direction

8

Time-Invariant ConstraintsObservation 1 (Example 1 + 2)

Many Unnecessary State Variables (macros) Establish Interface

in := min(out, c)

Specific Use of Generic Partsvalve-direction := some constant

(after inlining the module)

9

Time-Invariant ConstraintsExample 3

Indirection (based on the specification)

transition relationnext(bus.state) := complex expression f

invariant constraintsdevice1.output1 := switch (bus.state) …

device1.output2 := switch (bus.state) …

10

Time-Invariant ConstraintsExample 4

Consistent Non-Deterministic Choices

invariant constraintcmd := expression f with non-determinism

(due to incomplete specification or abstraction)

transition relationsnext(device1.output1) := switch (cmd) …

next(device1.output2) := switch (cmd) …

11

Time-Invariant ConstraintsObservation 2 (Example 3 + 4)

Variables w/ Constraints Used in Current State Only Indirection

device1.output1 := switch (bus.state) …

device1.output2 := switch (bus.state) …

Consistent Non-Deterministic Choicescmd := expression f with non-determinism

(due to incomplete specification or abstraction)

==>

Corresponding Next-State BDD Variables NOT Used

early quantification in pre-image computation» pre-image quantifies out next-state variables

12

Time-Invariant ConstraintsExample 5

Conditional Assignments

(tank == non-empty) =>

(out-pressure.sign := positive) &

(out-pressure.relative := nominal)

Note occurs for interface and indirection mostly simple (as above), but sometimes quite complicated

» p1 => ((p2 => (a := …)) & (p3 => (b := …))» most complicated expression has > 10,000 characters

13

Time-Invariant ConstraintsObservation 3 (Example 5)

Combining Time-Invariant ==> Macros

p1 => (a := …)

p2 => (a := …)

p3 => (a := …)

…

==>

a := some deterministic expression

complex expressions ==>

syntactic analysis is insufficient

14

Time-Invariant Constraints arise from modeling may have lots of redundant state bits

Our Solutions remove redundant state variables

» identify macros: assignment-extraction algorithm» select macros: BDD characteristics

partition (conjunctive partitioning) remaining constraints » apply an improved version of [Ranjan et al. ’95] algorithm

Optimizations for Constraint-Rich Models

15

Related Work

[Berthet, et al. ’90]

[Lin & Newton ’91]

[Hu & Dill ’93] [Eijk & Jess ’96]

[Sentovich, et al. ’96]

Problems

require constraints to be

combined first

removal is not always

beneficial

Redundant State-Variable RemovalProblem Statement

c?

v == gif so, v is redundant

replace v with g

Given invariant constraint c and state variable v,

Question

16

Redundant State-Variable RemovalOur Approach: Assignment Extraction Algorithm

ci

v Ginon-deterministic

assignment

If Gi = { gi }, we have v == gi

17

Redundant State-Variable RemovalPartitioned Constraints

c1

v G1

use graph sizes to determine the “goodness” of g

v == g

?

c2

v G2

cn

v Gn

18

Target

To Construct a Solution for Gi

for all k Kv where Kv is the set of possible values of v

ci ==> (v Gi)

Redundant State-Variable Removal Assignment Extraction Algorithm (Core Idea)

ci |v=k ==> (k Gi) [substitute v with k]

Gi = U ( if ci |v=k then { k } else { } ) k Kv

19

image(S) = V. T (S C)

=V W . T [ W. (S C) ]

where T does not depend on variables in W. many variables used only in time-invariant constraint

Represent C as Conjunctive Partition C1 C2 … Cm

monolithic BDD is too large to build

Conjunctive Partitioning of Time-Invariant Constraints

20

1

10

100

1000

10000

100000

acs ds1-b ds1 ds4 f-bus nomad v-gates xavier

orig

new

failed

Optimizations for Constraint-Rich ModelsOverall Impact

tim

e (

sec

)

21

BDD-Based Macro Optimization

Early-Quantification of W forV. T [ W. (S C) ]

without and with macro optimization

Performance Breakdown

22

Effects of BDD-Based Macro(No Early Quantification)

tim

e (

sec

)

1

10

100

1000

10000

100000

acs ds1-b ds1 ds4 f-bus nomad v-gates xavier

None

BDDM

failed

23

Effects of BDD-Based Macro: Causes

% b

dd

va

rs r

emo

ved

0

20

40

60

80

100

acs ds1-b ds1 ds4 f-bus nomad v-gates xavier

24

BDD-Based Macro Optimization

Early-Quantification of W forV. T [ W. (S C) ]

without and with macro optimization

Performance Breakdown

25

Effects of Early Quantification(No Macro Optimization)

tim

e (

sec

)

1

10

100

1000

10000

100000

acs ds1-b ds1 ds4 f-bus nomad v-gates xavier

None

Quan

failed

26

Effects of Early Quantification: Causes(No Macro Optimization)

% b

dd

va

rs e

xtr

act

ed

0

20

40

60

80

100

acs ds1-b ds1 ds4 f-bus nomad v-gates xavier

image

pre-image

Maximum achievable = 50%

27

Effects of Early Quantification (With Macro Optimization)

tim

e (

sec

)

1

10

100

1000

10000

100000

acs ds1-b ds1 ds4 f-bus nomad v-gates xavier

BDDM

Q+BDDM

failed

28

Summary & Future Work

Optimizations for Constraint-Rich Models Enabled verification for DS1’s fault diagnosis model

» 159 specs within 1 min

Typical of effort required to deal with models generated automatically from modular description

BDD Algorithms for Compiler-Type Analysis Assignment-Extraction Algorithm

» cone-of-influence analysis:

exact dependence information