To Split or to Conjoin:The Question in Image Computation

1 {mooni, fabio}@colorado.eduUniversity of Colorado at Boulder

2 kukula@synopsys.comSynopsys Inc.

3 kravi@cadence.comCadence Inc.

In-Ho Moon1, James Kukula2

Kavita Ravi3, Fabio Somenzi1

2

Outline

Introduction Image Computation Methods

Transition Relation Method Transition Function Method

Transition Relation vs. Function Methods Hybrid Image Computation Experimental Results Conclusions

3

Introduction

Model Checking The most widely used method in formal verification Does the system (implementation) satisfy the property

(specification)? State space explosion

BDD explosion in symbolic model checking The explosion occurs mostly in intermediate BDDs during

conjunctions in image/preimage computations.

Image/Preimage Computations Finding all successor/predecessor states from the given

states at once, respectively The key steps in symbolic model checking

4

Contribution

Model Checking Reachability Analysis

Image/Preimage Computations

BDD Operations

Symbolic

5

Image Computation

Two approaches Transition Relation Method [ICCAD90, DAC91]

Conjunctions Transition Function Method [IFIP89, ICCAD90]

Recursive splitting

Transition relation method is superior to transition function method in most cases

In some cases, transition function method is more efficient than transition relation method. Especially, in most cases of approximate reachability

analysis. Questions

Why is that? What if we combine the two methods?

6

Transition Relation Method

Image Computation Img(T(x,w,y), C(x)) = x,w. ( Ti(x,w,y) C(x))

Preimage Computation Pre(T(x,w,y), C(y)) = y,w. ( Ti(x,w,y) C(y))

Early Quantification u. ( f(u, v) g(v) ) = ( u. f(u, v) ) g(v) Img(T, C) = v1. ( T1 ··· vk. (Tk C))

1 i k

1 i k

7

Transition Function Method

Image Computation [IFIP89, ICCAD90] Input Splitting Output Splitting

Preimage Computation Simultaneous Substitution [CAV91] Sequential Substitution [PhD92] Domain Cofactoring [ICCAD98]

8

Transition Function Method (Cont’d)

Input Splitting Img(f(x,w), C(x)) = Img(fv, Cv) + Img(fv’, Cv’)

f = (f1, …, fm) : function vector v : splitting variable (x or w)

• Occurs most frequently in the supports [Cho96] Constant Functions

Img((f1=1, …, fm), C) = y1 Img((f2, …, fm), C) Img((f1=0, …, fm), C) = y1’ Img((f2, …, fm), C)

Terminal Cases Img(f, 0) = 0 Img(|f|1, C) = 1 where f is non-constant & C 0

From the implementation point of view, we don’t need y variables in the transition function method.

9

Transition Function Method (Cont’d)

Domain Cofactoring Pre(f, C) = v • Pre(fv, C) + v’ • Pre(fv’, C)

v : splitting variable (x) Constant Functions

Pre((f1=1, …, fm), C) = Pre((f2, …, fm), Cy1)

Pre((f1=0, …, fm), C) = Pre((f2, …, fm), Cy1’) Terminal Cases

Pre(f, 1) = 1 Pre(f, 0) = 0 Pre(|f|=0, C) = C

Optimization Drop fj if yj support(C(y))

10

Transition Relation vs. Function Methods

Transition Relation Methods Based on conjunction Needs two sets of state variables Good : much faster in most cases

Bad : intermediate BDDs may grow very large

Transition Function Methods Based on splitting Needs one set of state variables Good : takes much less memory in most cases Bad : may have too many recursive calls

Question : Can we combine the merits of both methods?

11

Conjoin

Conjoin

Hybrid Image Computation

Static Hybrid Dynamic Hybrid

Split Split

12

Dependence Matrix

Dependence Matrix m : the number of functions n : the number of variables dij = 1 : i-th function depends on j-th variable

n

m

= (4+4+3+1) / (4 x 4) = 12 / 16 = 0.75

1 11 1

1 1 1 1

d1

d2

d3

dm

Quantify

Con

junc

tion

1 1 1 1 From Average Variable Lifetime

= 1 j n (m - ij + 1) m n

13

Examples (32-bit rotator & multiplier)

No good quantification schedule

Needs splitting

Good quantification schedule

May be easy for conjunctions

14

Example (hw_top & one submachine)

Explains why splitting is better than conjunction in approximate reachability.

15

To Split or to Conjoin

Variable lifetime Conjoin if 0.5 + Split otherwise

Min/Max decision depth Min : splitting may help for even small Max : to avoid too deep recursions Decide only between min and max depth

16

Experimental Results - 1

0.1

1

10

100

1000

10000

100000

1000000

TR

TF

Hybrid

Time in Reachability Analysis

17

Experimental Results - 2

1.00

10.00

100.00

1000.00

10000.00

100000.00

TR

TF

Hybrid

Time in Approximate Reachability Analysis

18

Experimental Results - 3

1.00

10.00

100.00

1000.00

10000.00

100000.00

1000000.00

TR

TF

Hybrid

Time in Model Checking Without Reachability Analysis

19

Conclusions

We have presented a hybrid image method Combining the conjunction and splitting approaches Dynamic decision whether to split or to conjoin based on

variable lifetime from the dependence matrix Much more robust than either pure method

The analysis of dependence matrix explains why splitting is better than conjunction in approximate reachability

Future Work Improve decision strategy Analyze why the results for preimage were not as good as

those for image