Title: Exploration of Large State Spaces
1Exploration of Large State Spaces
- Armando Tacchella
- Lab - Software Engineering
- DIST Università di Genova
2Scenario
- Applications
- Formal verification
- Planning
- Issues
- Is there a bug in the design?
- Is there a plan to reach the goal?
3Formal verification
- Modulo 4 counter
- Bug it is not possible to reach s00 starting
from s01 or s10 - The bug can be discovered, e.g., by trying to
reach s00 either from s01 or s10
4Why formal verification?
Presented at DAC2001 by Bob Bentley, Intel Corp.
5Planning
- Blocks world
- A block can be
- on top of another block
- on top of the table
- Blocks can be moved from a source to a
destination - The goal is to rebuild the tower upside-down
- The plan is the sequence of moves to the goal
1
2
3
4
5
6Common model
- Set of states (configurations)
- Transitions between states
- Set of initial states
- Set of final states
- Is there a path from some initial state to some
final state? - Solving a reachability problem on a graph
7Reachability
- Graph representation
- each node is a state
- each arc is a transition
- One ore more sources (initial states)
- One ore more targets (final states)
- Reachability can be solved with standard graph
algorithms - Optimization on the path length can be done
using, e.g., Djikstra algorithm
8Representing states
- States are encoded using vectors of boolean
variables - State variable x x1, ... ,xN
- A state is an assignment of boolean values 0,1
to a state variable - State s v1, ... ,vN where vi ? 0,1
9How large is the state space?
- 2N states (and 22N transitions) at most
- In real sized problems N is easily gt100
- How large is 2100?
- Consider that 2100ns 31012yr
- Classical graph representations may not be
feasible in practice!
10Symbolic encoding
- Use boolean formulas to encode
- Initial states I(x)
- Transitions T(x, x)
- Final states F(x)
- Given two states s,t
- I(s) 1 exactly when s is an initial state
- T(s,t) 1 exactly when there is a transition
between s and t - F(s) 1 exactly when s is a final state
11A glimpse into Boolean logic...
- Every variable (x1, x2, ...) is a formula
- If F and G are formulas
- F is a formula (negation of F)
- FG (disjunction), FG (conjunction), F?G
(implication) are formulas - Consider the following abbreviations
12Symbolic encoding (example)
Counter modulo N ? 2N nodes
TN ? O(N2) symbols
13Bounded symbolic reachability
- Reaching a final state from an initial one with a
path of length at most k (nodes) - If R(s1, ... ,sk)1 then the sequence s1, ... ,sk
has the following properties (i ? 1, ... ,k) - I(s1)1
- T(si,si1)1 for all si
- F(si)1 for some si
14Symbolic reachability (example)
R(x1,x2,x3) 0 for all values of x1,x2,x3 ? s00
is unreachable from s10
15Solving symbolic reachability
- Symbolic encondings enable handling of large
state spaces - Bounded symbolic reachability amounts to finding
s1, ... ,sk s.t. R(s1, ... ,sk)1 - Decide whether the boolean formula R is
satisfiable or not (a.k.a. SAT problem) - There is no free lunch SAT is NP-hard!
- Is this a limitation?
16A glimpse into complexity...
- Two resources TIME (omitted) and SPACE
- P polynomial, EXP exponential
- N non-deterministic
- co complement of
Symbolic reachability and Q-SAT
Bounded symbolic reachability and SAT
Reachability
NP
co-NP
P
PSPACE
EXP
17Solving SAT preliminaries
- Formulas in Conjunctive Normal Form
- The formula is a set (conjunction) of clauses
- Each clause is a set (disjunction) of literals
- A literal is a variable or the negation of a
variable - Given any formula F it is always possible to
produce F in CNF s.t. F is satisfiable exactly
when F is satisfiable and Fpoly(F)
18Formulas and CNF (example)
?
?
?
T4(x,x) in CNF
T4(x,x)
19Solving SAT search algorithm
- Search(F)Simplify(F)if F? return 1if ??F
return 0l ? ChooseLiteral(F)if Search(F?l)
then return 1else return Search(F?-l)
- Simplify(F)while ?l l?F do for each C?F
l?C F F/C for each C?F -l?C F
F/C?C/-lend
20Search process (example)
21Solving SAT in practice
- The performance of the search algorithm
critically depends on - the particular ChooseLiteral heuristic
- the amount of simplification performed
- the smartness of the backtracking schema
- No silver bullet, but state-of-the-art SAT
solvers can solve industrial scale problems with
thousands of variables!
22Research issues
- Bounded symbolic reachability via SAT
- performs very well on bug-finding
- when the error trace is short, or
- the diameter of the search space is small
- Nevertheless
- since there can be up to 2N states, it may not be
feasible for general symbolic reachability, and - it can become impractical even for error traces
of reasonable lengths
23Research issues (ctd.)
- Tools for reasoning with boolean formulas
- are routinely used in reasearch and industry
- reach good performance and capacity standards
- Nevertheless
- most of them is special purpose (disposable code)
- they are difficult (if not impossible) to
integrate into existing systems - most often they are unsupported, undocumented,
not robust enough for time/safety/money-critical
applications
24 Lab core research
- Encodings for (bounded) symbolic reachability
exploiting quantified Boolean formulas - compact and (possibly) effective, but
- challenging solving Q-SAT is PSPACE-hard!
- A toolkit for reasoning with Boolean formulas
- handles quantified Boolean formulas
- features a component-based architecture
- Integrates several services, e.g., enumeration of
assignments, logic minimization, - is reasonably efficient w.r.t. special purpose
tools
25Formal verification projects
- FIRB Knowledge Level Automated Software
Engineering ( ends in 2005) - PRIN Advanced Reasoning Systems for the
representation and Formal Verification of Complex
Systems (ends in 2004) - INTEL SAT Solvers for Symbolic Model Checking
and Formal Verification (2001-2003)
26Planning projects
- ASI-DOVES Enabling On-board Autonomy A platform
for the Development of Verified Software (ends in
2004) - ASI-SACSO Safety Critical Software for planning
space robotics (ends in 2004) - ASI-GMES Un Sistema Innovativo per la gestione
di Costellazioni di Satelliti e la sua
Applicazione alla Tutela Ambientale (proposta) - RoboCare Sistema multi-agente con componenti
fisse e robotiche mobili intelligenti (fine nel
2005)
27 FIRB
- Knowledge Level
- Automated Software
- Engineering
4 Milioni di Euro
28FIRB (objectives)
- A Knowledge Level Automated Software Engineering
methodology, - A requirement actor and goal oriented framework
- Theories and techniques for the code analysis
- A concept demonstrator prototype, integrating the
developed techniques - The application of the prototype to a case study
29FIRB (activities)
- Development of a methodology based on the
goal/actors paradigm - Automated Reasoning for validation and
verification of software (QBF, BMC, SAT...) - Automated Planning for software development
automation - Natural language processing for documentation
analysis - Analysis and Testing of systems based on the
goal/actors paradigm
30 Lab activies on FIRB
- Development of a planning language for the
goal/actor framework - Study and development of planning techniques
based on SAT - Study and development of planning techniques
based on QBF - Development of a Tool for formal verification
31Ricerca tesisti per FIRB ?
- Buone conoscenze di
- Informatica di base (algoritmi e strutture dati)
- Linguaggi C/C standard
- Lingua Inglese
- Disponibiltà
- A lavorare sodo in un team giovane e in crescita
- A trascorrere periodi a Trento durante la tesi
- Ad iniziare la tesi a Settembre/Ottobre 2003
- Programma
- Formazione iniziale a Genova durante la tesi
- Completemento attività presso ITC/IRST di Trento
con contratto di collaborazione annuale