Title: On Partitioning and Symbolic Model Checking FM 2005
1On Partitioning and Symbolic Model CheckingFM
2005
- Subramanian Iyer, UT-Austin
- Debashis Sahoo, Stanford
- E. Allen Emerson, UT-Austin
- Jawahar Jain, Fujitsu Labs
2Outline
- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm
- Experiments and Conclusion
3Outline
- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm
- Experiments and Conclusion
4Sequential Verification
- Does Implementation fullfil its Specification?
- Model Checking
- State Based
- Given System under test
- Prove properties given in a temporal logic (eg
CTL, LTL) - Required for Model Checking
- Input Data Transition relation
- Generated Reachable states, Forbidden states
- Procedures Boolean Operations, Image Computation
5Reachability Analysis
Algorithm
Simple property
2n
FromReachedS0 do To Img(TR,From) New To
\ Reached Reached Reached To From
New while(New ? Ø )
6Model Checking
- Hinges on Reachability
- Basic Operation Pre-image
- In Simple terms
- Given bad formula f
- Compute reachable states
- Compute states satisfying f
- Pass if intersection is empty
- Key issues State set generation and
representation - Extensional, as originally proposed.
- Symbolic, as now practiced
7Ordered Binary Decision Diagrams
- BDDs with
- read-once property
- fixed Variable order
- The restrictions guarantee
- Canonicity
- efficient Algorithms for Boolean Operations,
Tautology, SAT and Equivalence check - Disadvantage
- Blow-Up possible
- The minimizing problem
- better BDD Types (?)
- Transformations (?)
- Variable- Reordering
- Local Search Sifting
8Symbolic Model Checking
- Using BDDs to represent sets of states
- Key operation is image computation
- Using transition relation
- Necessary to succinctly represent the transition
relation - What is the problem?
9The Bottleneck in Verification
- State-based verification, model checking
- Can be fully automated in principle
- Why not in practice?
- State space representation
- Symbolically manifests as BDD blowup
- Limits extent of automation
- Limits size of designs that can be handled
- Capacity is restricted by representation size
- Memory restricts time
- BDD based tools crash or thrash
- So What can be done?
10Outline
- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm
- Experiments and Conclusion
11Partitioned Transition Relation
- Represented as conjunction of k parts TRi
- Easy to construct for synchronous circuits
- Conjunction of bitwise TRis the transition
function of each state variable - Set of variables partitioned into k disjoint
subsets - Transition functions for variables in each subset
are conjuncted together to give TRi - TR is the implicit conjunction of TRi for i in 1
to k
12Partitioned TR (Contd)
- Basis of reachable states computation
- Partitioned TR
TRj
Cluster of ROBDDs
Monolithic ROBDD
13Image Computation
- The image computation step
- Partitioned TR useful due to early
quantification (AndExist) - Choice and order of TRjs is crucial for a good
performance!
Img(TR,A) x( TR(x,y)? A(x))
Img(TR,A) xn( TRn? ...? x2( TR2? x1( TR1?
A)))...)
14Partitioned TR - Observations
- What is it that is partitioned?
- The set of variables
- The relation
- Actual TR is an implicit conjunction
- Sets of states always ROBDD
- During image computation
- Before and After image computation
15So What?
- Sets of states as ROBDDs
- Can get very large
- TR parts repeatedly conjuncted
- During each image
- Made easier combined with quantification
- Still repeated expense
- Solution Partition all state-sets
16Partitioned ROBDD (POBDD)
Given the Boolean Function
Xf is its partitioned-ROBDD representation if,
where
and
are ROBDDs with variable ordering pi, and,
w2
w1
Each wi is called a window function
Note that the ROBDDs in each partition may have a
different variables ordering pi
w4
w3
17A simple example
- f c (a1b1 a2b2) c (a1a2 b1b2 )
- w1 c
- w2 c
- f1 c (a1b1 a2b2)
- f2 c (a1a2 b1b2 )
f2
f1
c
c
?
?
?
?
a1
a1
a2
b1
b1
a2
b2
b2
1
1
0
0
?2 c, a1, a2, b1, b2
?1 c, a1, b1, a2, b2
18 On Using Partitioning
- Sets of states disjunctively partitioned
- Key Use same partitioning windows
- In particular, set of reachable states
- Induces disjunctive partitioning on TR
- TR is a Relation on state pairs Quadratic
- Notice each such TRij can further be
- Monolithic, Disjunctive, or Conjunctive
- Image computation
- Must consider to and from set in each partition
19Reachability Revisited
Old Algorithm
FromReachedS0 do To Img(TR,From) New To
\ Reached Reached To From New while(New ?
Ø )
Notice that From is now partitioned TR applied to
Fromi of partition i, result Toi is also
partitioned So Toij is owned by partition j Must
be given to j. Quadratic such transfers!
20 Image and Reachability
- Fix point computations performed
- On each partition locally Using TRii
- Use reachability algorithm on ROBDDs
- Synchronization between partitions
- Cross-over images finds states use TRij , .
- Must keep it infrequent
- Postponed till local fixpoint reached
21Reachability Example Initial set
22Local Fix Point
23Cross-over images
w2
T12
w1
R1
T14
T13
I3(x)
w3
w4
24Another Local Fix point
25More Cross over images
26Example, cont.
27Outline
- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm
- Experiments and Conclusion
28CTL temporal properties
- EX(f), E(fUg), EG(f) form a basis set
- Invariant Checking AGp
- Absence of Deadlock
- Return to reset state AGEF(s0)
- Temporal Implication AG(p ? EF q)
- Liveness EGp, AFp
29Outline
- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm
- Experiments and Conclusion
30Image Computation EXp
- forall (partitions j)
- forall (partitions k)
- PreImg_jk(s) ?s',iTRjk(s, s', i) ? pk(s')
- reorder BDD PreImgjk from part order k to j
- end for
- Sj ?k PreImgjk
- end for
- output S
31Least Fix Point E(pUq)
- S q , S.old NULL
- repeat
- S.old S
- temp computeEX(S)
- forall (partitions j)
- Sj qj ? (pj ? tempj)
- end for
- until(S S.old)
- output S
32Greatest Fix Point EGp
- S p
- repeat
- S.old S
- temp computeEX(S)
- forall (partitions j)
- Sj pj ? tempj
- end for
- until(S S.old)
- output S
33Whats the problem?
- Image computation has two parts
- Transitions local to a partition (ij)
- Transitions Crossing over partitions (iltgtj)
- Cross-over images are expensive!
- Get BDDs, maybe from disk
- Store BDDs, maybe over network
- Reorder large BDDs
- The classical algorithm does one set of
cross-over image during each EX.
34Outline
- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm
- Experiments and Conclusion
35Least Fix Point E(pUq)
- S q, S.old NULL
- repeat
- S.old S
- forall (partitions j)
- repeat
- Sj .old Sj
- Sj Sj ? (pj ? EXl(Sj , j))
under-approximate - until(Sj Sj .old)
- end for
- S S ? (p ? EXc(S)) add
missing states - until(S S.old)
- output S
36Greatest Fix Point EGp
- S p
- Border p ? EXc(S)
candidate set - repeat
- S.old S
- forall (partitions j)
- repeat
- Sj .old Sj
- Sj pj ? (EXl(Sj , j) ? Borderj) over-approx
- until(Sj Sj .old)
- end for
- Border p ? EXc(S)
prune states - until(S S.old)
- output S
37Outline
- Background
- The Partitioning Approach
- Model Checking
- The naïve algorithm
- An improved algorithm
- Experiments and Conclusion
38VIS Verilog benchmarks
Ckt C/O Old C/O New C/O Time old C/O Time new Total M/C time old Total M/C time new
S1269 8 8 67 1 93 1
Soap 53 5 592 1 714 28
Ghg 9367 6 166 .15 280 27
Sppint 16 6 4 1 24 2
Gcd 15 7 19 .7 69 108
39Conclusions
- Assuming a model where cross-over images are
very expensive, the proposed algorithm - Is no worse than the classical algorithm
- Converges faster, empirically, in terms of
- Number of cross-over images
- Time spent in cross-over images
- Reduces total model checking time
- Often quite significantly
- Is good for parallel model checking