Binary Decision Diagrams and Symbolic Model Checking

Similar documents
A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Reduced Ordered Binary Decision Diagrams

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Symbolic Model Checking with ROBDDs

Formal Methods Lecture VII Symbolic Model Checking

Polynomial Methods for Component Matching and Verification

EECS 219C: Computer-Aided Verification Boolean Satisfiability Solving III & Binary Decision Diagrams. Sanjit A. Seshia EECS, UC Berkeley

Binary Decision Diagrams

Finite-State Model Checking

Model checking the basic modalities of CTL with Description Logic

QuIDD-Optimised Quantum Algorithms

CS357: CTL Model Checking (two lectures worth) David Dill

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

Lecture 2: Symbolic Model Checking With SAT

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Binary Decision Diagrams

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

1 Algebraic Methods. 1.1 Gröbner Bases Applied to SAT

Ranking Verification Counterexamples: An Invariant guided approach

Model Checking: An Introduction

Abstractions and Decision Procedures for Effective Software Model Checking

Reduced Ordered Binary Decision Diagrams

ECE/CS 250 Computer Architecture

Chapter 3 Deterministic planning

ECE 250 / CPS 250 Computer Architecture. Basics of Logic Design Boolean Algebra, Logic Gates

Basing Decisions on Sentences in Decision Diagrams

Equivalence Checking of Sequential Circuits

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Symbolic Model Checking

SAT-Solving: From Davis- Putnam to Zchaff and Beyond Day 3: Recent Developments. Lintao Zhang

INF2270 Spring Philipp Häfliger. Lecture 8: Superscalar CPUs, Course Summary/Repetition (1/2)

EGFC: AN EXACT GLOBAL FAULT COLLAPSING TOOL FOR COMBINATIONAL CIRCUITS

COMPRESSED STATE SPACE REPRESENTATIONS - BINARY DECISION DIAGRAMS

Bounded Model Checking Using Satisfiability Solving

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Binary Decision Diagrams

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Appendix B. Review of Digital Logic. Baback Izadi Division of Engineering Programs

Detecting Support-Reducing Bound Sets using Two-Cofactor Symmetries 1

Formal Verification Methods 1: Propositional Logic

Verifying Randomized Distributed Algorithms with PRISM

The State Explosion Problem

Chapter 4: Computation tree logic

Combinational Equivalence Checking using Boolean Satisfiability and Binary Decision Diagrams

Cryptographic Protocols Notes 2

CMP 338: Third Class

Combinational Logic Design Combinational Functions and Circuits

Sequential Equivalence Checking without State Space Traversal

Space Complexity. The space complexity of a program is how much memory it uses.

Binary Decision Diagrams Boolean Functions

Automatic Synthesis of Distributed Protocols

Synchronous program verification with Lustre/Lesar

Computer Science. Questions for discussion Part II. Computer Science COMPUTER SCIENCE. Section 4.2.

A Brief Introduction to Model Checking

CS61c: Representations of Combinational Logic Circuits

Hardware Equivalence & Property Verification

Linear-time Temporal Logic

Automata-Theoretic Model Checking of Reactive Systems

Sanjit A. Seshia EECS, UC Berkeley

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

Parallelism and Machine Models

Multi-Terminal Multi-Valued Decision Diagrams for Characteristic Function Representing Cluster Decomposition

Decision Procedures for Satisfiability and Validity in Propositional Logic

POLYNOMIAL SPACE QSAT. Games. Polynomial space cont d

1 PSPACE-Completeness

Model Checking. Boris Feigin March 9, University College London

State-Space Exploration. Stavros Tripakis University of California, Berkeley

CSE370: Introduction to Digital Design

Integrating Induction and Deduction for Verification and Synthesis

-bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE ATIME QSAT, GEOGRAPHY, SUCCINCT REACH.

Hardware to Compute Walsh Coefficients

Announcements. Friday Four Square! Problem Set 8 due right now. Problem Set 9 out, due next Friday at 2:15PM. Did you lose a phone in my office?

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

High Level Reduction Technique for Multiway Decision Graphs Based Model Checking

Lecture 8: Complete Problems for Other Complexity Classes

Adders, subtractors comparators, multipliers and other ALU elements


Lecture 22: Quantum computational complexity

CprE 281: Digital Logic

Model Order Reduction via Matlab Parallel Computing Toolbox. Istanbul Technical University

Review for B33DV2-Digital Design. Digital Design

Part I: Definitions and Properties

Worst-Case Execution Time Analysis. LS 12, TU Dortmund

MODEL CHECKING. Arie Gurfinkel

Latches. October 13, 2003 Latches 1

Exploiting Interleaving Semantics in Symbolic State Space Generation

Fault Collapsing in Digital Circuits Using Fast Fault Dominance and Equivalence Analysis with SSBDDs

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Chapter 2 Biconditional Logic

Learning Abstractions for Model Checking

ECE/CS 250: Computer Architecture. Basics of Logic Design: Boolean Algebra, Logic Gates. Benjamin Lee

Lecture Notes on Emptiness Checking, LTL Büchi Automata

CLEVER: Divide and Conquer Combinational Logic Equivalence VERification with False Negative Elimination

Complexity. Complexity Theory Lecture 3. Decidability and Complexity. Complexity Classes

The Class NP. NP is the problems that can be solved in polynomial time by a nondeterministic machine.

CSE 555 HW 5 SAMPLE SOLUTION. Question 1.

P, NP, NP-Complete. Ruth Anderson

Verification as Learning Geometric Concepts

Verification using Satisfiability Checking, Predicate Abstraction, and Craig Interpolation. Himanshu Jain THESIS ORAL TALK

Transcription:

Binary Decision Diagrams and Symbolic Model Checking Randy Bryant Ed Clarke Ken McMillan Allen Emerson CMU CMU Cadence U Texas http://www.cs.cmu.edu/~bryant

Binary Decision Diagrams Restricted Form of Branching Program Graph representation of Boolean function Canonical form Simple algorithms to construct & manipulate Application Niche Problems expressed as Quantified Boolean Formulas A lot of interesting problems are in PSPACE Symbolic Model Checking Prove properties about large-scale, finite-state system Successfully used to verify hardware systems 2

Boolean Function as Language Truth Table Language DFA x x 2 x 3 f {,, }, View n-variable Boolean function as language {,} n Reduced DFA is canonical representation 3

From DFA to OBDD x x x, x 2 x 2 x 3 x 2 x 3 x 2 x 3 Canonical representation of Boolean function Two functions equivalent if and only if graphs isomorphic Desirable property: simplest form is canonical. 4

Representing Circuit Functions Functions All outputs of 4-bit adder S 3 Cout Functions of data inputs S 2 b 3 b 3 b 3 b 3 A B A D D Cout S S a 2 b 2 b 2 a a 2 b 2 b 2 a a 2 b 2 b 2 a 5 Shared Representation Graph with multiple roots 3 nodes for 4-bit adder 57 nodes for 64-bit adder Linear growth S b b b b b b a a a b b

Effect of Variable Ordering ( a b ) ( a2 b2 ) ( a3 b3 ) Good Ordering Bad Ordering a a b a 2 a 2 a 2 b 2 b b b b b 2 b 2 b 3 b 3 Linear Growth Exponential Growth 6

Sample Function Classes Function Class Best Worst Ordering Sensitivity ALU (Add/Sub) linear exponential High Symmetric linear quadratic None Multiplication exponential exponential Low General Experience Many tasks have reasonable OBDD representations Algorithms remain practical for up to 5, node OBDDs Heuristic ordering methods generally satisfactory 7

Symbolic Manipulation with OBDDs Strategy Represent data as set of OBDDs Identical variable orderings Shared sub-expressions Express solution as sequence of symbolic operations Sequence of constructor & query operations Similar to on-line algorithm Implement each operation by OBDD manipulation Do all the work in the constructor operations Key Algorithmic Properties Arguments are OBDDs with identical variable orderings Result is OBDD with same ordering Each step has polynomial complexity 8

If-Then-Else Operation Concept Basic technique for building OBDD from logic network or formula. Arguments I, T, E I I T, E Functions over variables X Represented as OBDDs X T E MUX Result OBDD representing composite function (I T) ( I E) 9

If-Then-Else Execution Example Argument I Argument T Argument E Recursive Calls A a a B A,B A 2 b A 2,B 2 c A 6 c B 5 A 6,B 2 A 6,B 5 A 3 d B 2 d A 3,B 2 A 5,B 2 A 3,B 4 A 4 A 5 B 3 B 4 A 4,B 3 A 5,B 4 Optimizations Dynamic programming Early termination rules

If-Then-Else Result Generation Recursive Calls Without Reduction With Reduction A,B a a C 6 A 2,B 2 A 6,B 2 A 6,B 5 b c c C 5 b C 4 c A 3,B 2 A 5,B 2 A 3,B 4 d C 3 d A 4,B 3 A 5,B 4 C C 2 Recursive calling structure implicitly defines unreduced BDD Apply reduction rules bottom-up as return from recursive calls

Restriction Operation Concept Effect of setting function argument x i to constant k ( or ). Also called Cofactor operation (UCB) F x equivalent to F [x = ] F x equivalent to F [x = ] x k x i F F [x i =k] x i + x n 2

Restriction Execution Example Argument F a b c d Restriction F[b=] a c d Reduced Result d c 3

Derived Algebraic Operations Other operations can be expressed in terms of If-Then-Else And(F, G) If-Then-Else(F, G, ) X F G X F G F G, MUX X Or(F, G) F G X If-Then-Else(F,, G) F G F, G MUX 4

Generating OBDD from Network Task: Represent output functions of gate network as OBDDs. A B C Network T T2 Out Evaluation A new_var ("a"); B new_var ("b"); C new_var ("c"); T And (A,, B); T2 And (B, C); Out Or (T, T2); Resulting Graphs A B C T a T2 b Out b a b a b c b c c 5

Functional Composition x x x i F x i + x x n G x x n G x i x i + F F [x i =G] x n x MUX x n x i F x i + x n Create new function by composing functions F and G. Useful for composing hierarchical modules. 6

Variable Quantification x x x i x i + F x i F x i F x i + x n x n x x i F x i + x n Eliminate dependency on some argument through quantification Combine with AND for universal quantification. 7

Finite State System Analysis Systems Represented as Finite State Machines 8 Sequential circuits Communication protocols Synchronization programs Analysis Tasks State reachability State machine comparison Temporal logic model checking Traditional Methods Impractical for Large Machines Polynomial in number of states Number of states exponential in number of state variables. Example: single 32-bit register has 4,294,967,296 states!

Temporal Logic Model Checking Verify Reactive Systems Construct state machine representation of reactive system Nondeterminism expresses range of possible behaviors Product of component state machines Express desired behavior as formula in temporal logic Determine whether or not property holds Traffic Light Controller Design It is never possible to have a green light for both N-S and E-W. Model Checker True False + Counterexample 9

Characteristic Functions Concept A {,} n Set of bit vectors of length n Represent set A as Boolean function A of n variables X A if and only if A(X ) = A / Set Operations A Union A Intersection B B 2

Symbolic FSM Representation Nondeterministic FSM Symbolic Representation n o 2 n 2 o o 2 o, o 2 encoded old state n, n 2 encoded new state 2 Represent set of transitions as function δ(old, New) Yields if can have transition from state Old to state New Represent as Boolean function Over variables encoding states

Reachability Analysis Task Compute set of states reachable from initial state Q Represent as Boolean function R(S) Never enumerate states explicitly Given Compute old state new state δ / R state / Initial R = Q 22

Breadth-First Reachability Analysis R R R 2 R 3 R i set of states that can be reached in i transitions Reach fixed point when R n = R n+ Guaranteed since finite state 23

Iterative Computation R i R i + old new δ R i R i + set of states that can be reached i + transitions Either in R i or single transition away from some element of R i 24

Symbolic FSM Analysis Example K. McMillan, E. Clarke (CMU) J. Schwalbe (Encore Computer) Encore Gigamax Cache System Distributed memory multiprocessor Cache system to improve access time Complex hardware and synchronization protocol. Verification Create simplified finite state model of system ( 9 states!) Verify properties about set of reachable states Bug Detected Sequence of 3 bus events leading to deadlock With random simulations, would require 2 years to generate failing case. In real system, would yield MTBF < day. 25

System Modeling Example Global Bus Gigamax Memory System Interface Cluster #2 Abstraction Cluster #3 Abstraction Interface Cluster # Bus Mem. Cache Control. Proc. Cache Control. Proc. Simplifying Abstractions Single word cache Single bit/word Abstract other clusters Imprecise timing 26 Arbitrary reads & writes

Commercial Applications of Symbolic Model Checking Several Commercial Tools Difficult training and customer support Most Large Companies Have In-House Versions IBM, Lucent, Intel, Motorola, SGI, Fujitsu, Siemens, Many based on McMillan s SMV program Requires Sophistication Beyond that of mainstream designers 27

Application Challenge System Size Challenging Systems to Design Model checking Capacity Degree of Concurrency Cannot Apply Directly to Full Scale Design Verify smaller subsystems Verify abstracted versions of full system Must understand system & tool to do effectively 28

Real World Issues Still Too Volatile Fail by running out of space Useless once exceed physical memory capacity Ongoing Research to Improve Memory Performance Dynamic variable ordering Exploiting modularity of system model Partitioned transition relations Exploiting parallelism Map onto multiple machines Difficult program for parallel computation» Dynamic, irregular data structures 29

Dynamic Variable Reordering Richard Rudell, Synopsys Periodically Attempt to Improve Ordering for All BDDs Part of garbage collection Move each variable through ordering to find its best location Has Proved Very Successful Time consuming but effective Especially for sequential circuit analysis 3

Dynamic Reordering By Sifting Choose candidate variable Try all positions in variable ordering Repeatedly swap with adjacent variable Move to best position found Best Choices a a a a b a 2 a 2 a 2 a 2 a 2 a 2 b a b b a 2 a 2 b 2 b 2 b 2 b 2 b 2 b 2 b 2 b 2 b b b 3 b 3 b 2 b 2 b 2 b 2 b 2 b 2 b 3 b b 3 b 3 b 3 3

Swapping Adjacent Variables Localized Effect Add / delete / alter only nodes labeled by swapping variables Do not change any incoming pointers g h i j e f g h e b 2 b f b 2 b b b b 2 b 2 b 2 b 2 i j b b 32

Tuning of BDD Packages Cooperative Effort Bwolen Yang, in cooperation with researchers from Colorado, Synopsys, CMU, and T.U. Eindhoven Measure & improve performance of BDDs for symbolic model checking Methodology Generated set of benchmark traces Run 6 different packages on same machine Compare results and share findings Cooperative competition 33

Effect of Optimizations Compare pre- vs. post-optimized results for 96 runs 6 different BDD packages 6 benchmark traces each Limit each run to maximum of 8 CPU hours and 9 MB Measure speedup = T old / T new or: New: Failed before but now succeeds Fail: Fail both times Bad: Succeeded before, but now fails 34

Optimization Results Summary 8 7 6 Cumulative Speedup Histogram 6 75 76 76 # of cases 5 4 3 2 6 > 22 > 33 >5 >2 > speedups >.95 > 3 new 6 failed bad 35

What s Good about OBDDs Powerful Operations Creating, manipulating, testing Each step polynomial complexity Graceful degradation Generally Stay Small Enough Especially for digital circuit applications Given good choice of variable ordering Weak Competition No other method comes close in overall strength Especially with quantification operations 36

Thoughts on Algorithms Research Need to be Willing to Attack Intractable Problems Many real-world problems NP-hard No approximations for verification Who Works on These? Mostly people in application domain Most work on BDDs in computer-aided design conferences Not by people with greatest talent in algorithms No papers in STOC/FOCS/SODA Probably many ways they could improve things Fundamental dilemma Can only make weak formal statements about efficiency Utility demonstrated empirically 37

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback