Symbolic Model Checking

Transcription

1 Symbolic Model Checking Ken McMillan 90 Randal Bryant 86 Binary Decision Diagrams 1

2 Combinatorial Circuits 2

3 Combinatorial Problems Sudoku Eight Queen 3

4 Control Programs A Train Simulator, visualstate (VVS) 1421 machines transitions 2981 inputs 2667 outputs 3204 local states Declare state sp.: 10^476 BUGS? Ideal presentation: 1 bit/state will clearly NOT work! 4

5 Reduced Ordered Binary Decision Diagrams [Bryant 86] Compact represetation of boolean functions allowing effective manipulation (satifiability, validity,.) or Compact representation of sets over finite universe allowing effective manipulations. 5

6 Binary Decision Diagrams [Randal Bryant 86] A short review 6

7 If-Then-Else Normal Form 7

8 Shannon Expansion 8

9 Binary Decision Trees Variable is set to 0 Variable is set to 1 Each path determines a partial (set of) truth assignments. Result of the boolean expression under the given assigment found in value of terminal. 9

10 Orderedness & Redundant TESTS 10

11 Orderedness & Reducedness x x x x y z x<y x<z 11

12 ROBDDs formally 12

13 Reduced Ordered Binary Decision Diagrams Iben Edges to 0 implicit 13

14 Ordering DOES matter 14

15 Canonicity of ROBDDs 15

16 Build Complexity?? 16

17 APPLY operation 17

18 APPLY example 18

19 APPLY operation with dynamic programming 19

20 Other operations 20

21 Constraint Solving using BDDs 21

22 x 4 Sudoku 288 solutions! 22

23 Encoding Boolean variables x i,j,k for all i, j, k {1,2,3,4}. 4 4 Idea: x 2,2,2 =1 x 4,4,4 =1 x 2,2,1 =0 x i,j,k = 1 ; if the number k is in position (i,j) in the solution 0 ; otherwise 23

24 Constraints Precisely one value in each position i, j: x 1,j,1 + x i,j,2 + x i,j,3 + x i,j,4 = for each i, j Each value k appears in each row i exactly ones: x i,1,k + x i,2,k + x i,3,k + x i,4,k = 1 for each i, k Each value k appears in each colomn j exactly ones: x 1,j,k + x 2,j,k + x 3,j,k + x 4,j,k = 1 for each j, k Each value k appears in each 2x2 box exactly ones: x 1,1,k + x 1,2,k + x 2,1,k + x 2,2,k = 1 (e.g.) 24

25 Solving Sudoku

26 ROBDDs and Verification [,McMillan 90,..,VVS 97] 26

27 00 ROBDD encoding of transition 01 system Encoding of states using binary variables (here x1 and x2) Encoding of transition relation using source and target variables (here x1, x2, y1, and y2) Trans(x1,x2,y1,y2):=!x1 &!x2 &!y1 & y2 +!x1 &!x2 & y1 & y2 + x1 &!x2 &!y1 & y2 + x1 &!x2 & y1 & y2 + x1 & x2 & y1 &!y2; 27

28 ROBDD representation (cont.) Trans(x1,x2,y1,y2):=!x1 &!x2 &!y1 & y2 +!x1 &!x2 & y1 & y2 + x1 &!x2 &!y1 & y2 + x1 &!x2 & y1 & y2 + x1 & x2 & y1 &!y2; 28

29 ATrans(x,y) ROBDD for parallel composition Asynchronous composition Trans(x,y,u,v) = (ATrans(x,y) & v=u) + (BTrans(u,v) & y=x) Synchronous composition Trans(x,y,u,v) = (ATrans(x,y) & BTrans(u,v)) BTrans(u,v) Which ordering to choose? 29

30 Ordering? 45 nodes x1,x2,u1,u2, y1,y2,v1,v2 23 nodes x1,x2,y1,y2,u1,u2,v1,v2 20 nodes x1,y1,x2,y2,u1,v1,u2,v2 Polynomial size BDDs guaranteed in size of argument BDDs [Enders,Filkorn, Taubner 91] 30

31 Reachable States Reach(x) := Init(x); REPEAT Old(x) := Reach(x); New(y) := Exists x.(reach(x) & Trans(x,y)); Reach(x) := Old(x) + New(x) UNTIL Old(x) = Reach(x) Relational Product: May be constructed without building intermediate (often large) &-BDD. Reach 0 Reach 1 Reach Reach 1 31

32 A MUTEX Algorithm Clarke & Emerson P1 P1 :: :: while True do do T1 T1 : wait(turn=1) C1 C1 : turn:=0 endwhile P2 P2 :: :: while True do do T2 T2 : wait(turn=0) C2 C2 : turn:=1 endwhile Mutual Exclusion Program 32

33 Global Transition System I1 I2 t=0 I1 I2 t=1 T1 I2 t=0 I1 T2 t=0 T1 I2 t=1 I1 T2 t=1 T1 T2 t=0 I1 C2 t=0 C1 I2 t=1 T1 T2 t=1 T1 C2 t=0 C1 T2 t=1 33

34 A MUTEX Algorithm Clarke & Emerson vars x1 x2; vars y1 y2; vars u1 u2; vars v1 v2; vars t s; ATrans := (!x1 &!x2 &!y1 & y2 & (s=t)) + (!x1 & x2 &!y1 & y2 &!t &!s) + (!x1 & x2 & y1 &!y2 & t & s) + (x1 &!x2 &!y1 &!y2 &!s); BTrans := (!u1 &!u2 &!v1 & v2 & (s=t)) + (!u1 & u2 &!v1 & v2 & t & s) + (!u1 & u2 & v1 &!v2 &!t &!s) + (u1 &!u2 &!v1 &!v2 & s); TT := (ATrans & (u1=v1) & (u2=v2)) + (BTrans & (x1=y1) & (x2=y2));

35 BDDs for Transition Relations ATrans TT 35

36 Reachable States Reach(x) := Init(x); REPEAT Old(x) := Reach(x); New(y) := Exists x.(reach(x) & Trans(x,y)); Reach(x) := Old(x) + New(x) UNTIL Old(x) = Reach(x) 36

37 Reachable States Reach(x) := Init(x); REPEAT Old(x) := Reach(x); New(y) := Exists x.(reach(x) & Trans(x,y)); Reach(x) := Old(x) + New(x) UNTIL Old(x) = Reach(x) 37

38 Reachable States Reach(x) := Init(x); REPEAT Old(x) := Reach(x); New(y) := Exists x.(reach(x) & Trans(x,y)); Reach(x) := Old(x) + New(x) UNTIL Old(x) = Reach(x) MUTEX? Reach & x1 &!x2 & u1 &!u2 Reach 38

39 Bisimulation vars x (y) Bis(x,u):= 1; REPEAT Old(x,u) := Bis(x,u); Bis(x,u) := Forall y. Trans(x,y) => (Exists v. Trans(u,v) & Bis(y,v)) & Forall v. Trans(u,v) => (Exists y. Trans(x,y) & Bis(y,v)); UNTIL Bis(x,u)=Old(x,u) vars u (v) 39

40 Bisimulation (cont.) Bis 0 Bis 1 Bis equivalence classes = 6 pairs in final bisimulation 40

41 Model Checking 0 1 p p,q q 3 2 p vars x1 x2; vars y1 y2; Trans(x1,x2,y1,y2) :=!x1 &!x2 &!y1 & y2 +!x1 &!x2 & y1 & y2 + ; P(x1,x2) :=!x1 &!x2 +!x1 & x2 + x1 &!x2; Q(x1,x2) := ; 41

42 Model Checking 0 1 p p,q q 3 2 p EX P Exists y1,y2. Trans(x1,x2,y1,y2) & P(y1,y2); 42

43 Model Checking 0 1 p p,q q 3 2 p EX P Exists y1,y2. Trans(x1,x2,y1,y2) & P(y1,y2); 43

44 Model Checking 0 1 p p,q q 3 2 p AX P Forall y1,y2. Trans(x1,x2,y1,y2) => P(y1,y2); 44

45 Model Checking 0 1 p p,q q 3 2 p AX P Forall y1,y2. Trans(x1,x2,y1,y2) => P(y1,y2); 45

46 Model Checking 0 1 p p,q 2 AG P p max fixpoint q 3 A(x1,x2) = P(x1,x2) & Forall y1,y2. Trans(x1,x2,y1,y2) => A(y1,y2); 46

47 Model Checking 0 1 p p,q 2 AG P p max fixpoint q 3 A(x1,x2) = P(X1,x2) & Forall y1,y2. Trans(x1,x2,y1,y2) => A(y1,y2); 47

48 Model Checking 0 1 p p,q q 3 2 A( P UNTIL Q ) p min fixpoint U(x1,x2) = Q(x1,x2) + { P(x1,x2) & Forall y1,y2. Trans(x1,x2,y1,y2) => U(y1,y2) }; 48

49 Model Checking 0 1 p p,q q 3 2 A( P UNTIL Q ) p min fixpoint U(x1,x2) = Q(X1,x2) + { P(x1,x2) & Forall y1,y2. Trans(x1,x2,y1,y2) => U(y1,y2) }; 49

50 Partitioned Transition Relation Relational Product LARGE Exists yv. (T(xu,yv) & S(yv)) Asynchronous T(xu,yv) = (ATrans(x,y) & v=u) + (BTrans(u,v) & y=x) Exists y. ATrans(x,y) & S(yu) + Exists v. BTrans(u,v) & S(xv) Synchronous T(xu,yv) = ATrans(x,y) & BTrans(u,v) Exists yv. Atrans(x,y) & Btrans(u,v) & S(yv) Exists y. Atrans(x,y) & (Exists v. Btrans(u,v) & S(yv)) 50

51 visualstate CIT project VVS (w DTU) Beologic s Products: salesplus visualstate : Independent division of B& : Independent company B&O, 2M Invest, Danish Municipal Pension Ins. Fund 1998: BAAN 2000: IAR Systems A/S Customers: ABB B&O Daimler-Benz Ericson DIAX ESA/ESTEC FORD Grundfos LEGO PBS Siemens. (approx. 200) Verification Problems: components states Embedded Systems Simple Model Verification of Std. Checks Explicit Representation (STATEEXPLOSION) Code Generation Our techniques has reduced verification by an order of magnitude (from 14 days to 6 sec) 51

52 visualstate Embedded World Nürnberg,

53 Control Programs A Train Simulator, visualstate (VVS) 1421 machines transitions 2981 inputs 2667 outputs 3204 local states Declare state sp.: 10^476 BUGS? Ideal presentation: 1 bit/state will clearly NOT work! 53

54 Experimental Breakthroughs Patented System Mach. State Space Checks Visual St-of-Art ComBack Declared Reach ST Sec MB Sec MB VCR 7 10^ <1 <1 6 <1 7 JVC 8 10^ <1 <1 6 <1 6 HI-FI 9 10^ Motor 12 10^ <1 6 2,0 AVS 12 10^ Video 13 10^ Car 20 10^ ^ N ^ N ^ ^ N ^ ^ Train ^ Train ^ Machine: 166 MHz Pentium PC with 32 MB RAM ---: Out of memory, or did not terminate after 3 hours. 54

55 System Experimental Breakthroughs Patented Mach. State Space Checks Visual St-of-Art ComBack Declared Reach ST Sec MB Sec MB VCR 7 10^ <1 <1 6 <1 7 JVC 8 10^ <1 <1 6 <1 6 HI-FI 9 10^ Motor 12 10^ <1 6 2,0 AVS 12 10^ Video 13 10^ Car 20 10^ ^ N ^ N ^ ^ N ^ ^ Our technique have reduced verification time by several orders of magnitude (eg. From 14 days to 6 sec) Train ^ Train ^ Machine: 166 MHz Pentium PC with 32 MB RAM ---: Out of memory, or did not terminate after 3 hours. 55

56 Compositional Backwards Reachability [ TACAS 98 ] 56

57 Example The Small Train t l r Train Gate Signal t l,t STOP DOWN DOWN t BW r FW l r d RED UP DOWN GR u g re RED 57

58 Syntax State-Event Model visualstate n synchronously combined machines where M i = (S i,s i0,t i ) T i S i E G i M(O) S i Input Events Semantics (s 1,,s n ) e, o i (s 1,,s n ) iff s i - e,g i,o i s i with g i (s 1,,s n )=true or Guards on other machines locations Output s i = s i and o i =Ø and whenever s i - e, g i then g i (s 1,,s n )=false i=1..n 58

59 STOP UP GR Small Train (cont) t DOWN l,t r DOWN t d RED u g re Gate BW r l FW DOW N RED DOWN Signal UP GR RED STOP BW FW Train 59

60 STOP UP GR Small Train (cont) t DOWN l,t r DOWN t d RED u g re BW r l FW DOW N RED Gate l r d DOWN Signal UP GR RED re STOP BW FW Train 60

61 Generic Checks visualstate offers checks for a number of predefined properties: Reachability Reachability of states Firing of transitions Input without interpretation Output without generation Conflicting Rules Local Deadlock Global Deadlock Not a single CHECK but several thousands! 61

62 Guard dependencies Let g 1, g 2, g 3,, g N (N big) be the guards we want to show reachable If g i g j (e.g. g i =DOWN UP, g j =DOWN) then it suffices to show that g i reachable, i.e. there is a reachable global state satisfying g i. Sort g 1, g 2, g 3,, g N according to size and check only if NOT implied by a previously shown reachable guard % reduction. 62

63 Machine Dependencies A guard g in machie M i that depends on/refers to a state in M j introduces a dependency from M i to M j STOP UP GR t DOWN l,t r DOWN t d RED u g re BW r FW DOWN RED l TRAIN GATE SIGNAL Backwards statespace iterations can be restricted to dependency closed sets, e.g. DC(GATE) = {GATE,SIGNAL} 63

64 Compositional Backwards t DOWN BW l,t STOP r l r DOWN FW t d RED UP DOW N GR u g re RED Is FW reachable? IDEA: Compute backward reachable states as much as possible with minimal set of machines. Increase set of considered machines when necessary! Consider TRAIN TRAIN STOP BW FW 64

65 Compositional Backwards t DOWN BW l,t STOP r l r DOWN FW t d RED UP DOW N GR u g re RED Is FW reachable? IDEA: Compute backward reachable states as much as possible with minimal set of machines. Increase set of considered machines when necessary! Consider TRAIN TRAIN STOP DOWN BW DOWN FW Ignoring INPUT event 65

66 Compositional Backwards t DOWN BW l,t STOP r l r DOWN FW t d RED UP DOW N GR u g re RED Is FW reachable? IDEA: Compute backward reachable states as much as possible with minimal set of machines. Increase set of considered machines when necessary! Consider TRAIN TRAIN STOP DOWN BW DOWN FW Ignoring INPUT event 66

67 Compositional Backwards Include GATE! t DOWN BW l,t STOP r l r DOWN FW t d RED UP DOW N GR u g re RED Ignoring transtions with source in RED TRAIN BW FW 67

68 Compositional Backwards Include GATE! t DOWN BW l,t STOP r l r DOWN FW t d RED UP DOW N GR u g re RED Ignoring transtions with source in RED Any state projecting to can reach a state projecting to BW FW TRAIN 68

69 Compositional Backwards Gate t DOWN BW l,t STOP r l r DOWN FW t d RED UP DOW N GR u g re RED Include SIGNAL! DOWN RED Signal UP GR STOP BW FW Train Thus FW is reachable! 69

70 Hierarchical Systems [ TACAS 99 ] IDEA Reuse already known reachability properties of superstates to conclude reachability of substates! 70

71 Experimental results 71