Symbolic Model Checking with ROBDDs

Similar documents
Reduced Ordered Binary Decision Diagrams

Reduced Ordered Binary Decision Diagrams

Binary Decision Diagrams

Binary Decision Diagrams

Binary Decision Diagrams Boolean Functions

EECS 219C: Computer-Aided Verification Boolean Satisfiability Solving III & Binary Decision Diagrams. Sanjit A. Seshia EECS, UC Berkeley

Binary Decision Diagrams

Boolean decision diagrams and SAT-based representations

Binary Decision Diagrams and Symbolic Model Checking

Basing Decisions on Sentences in Decision Diagrams

Binary Decision Diagrams. Graphs. Boolean Functions

Decision Procedures for Satisfiability and Validity in Propositional Logic

Binary Decision Diagrams

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

COMPRESSED STATE SPACE REPRESENTATIONS - BINARY DECISION DIAGRAMS

CTL Model Checking. Wishnu Prasetya.

Labeled Transition Systems

Chapter 4: Computation tree logic

Binary Decision Diagrams

Formal Methods Lecture VII Symbolic Model Checking

Binary Decision Diagrams

Binary Decision Diagrams

Polynomial Methods for Component Matching and Verification

The Complexity of Minimizing FBDDs

The Nonapproximability of OBDD Minimization

Sanjit A. Seshia EECS, UC Berkeley

CS357: CTL Model Checking (two lectures worth) David Dill

1 Algebraic Methods. 1.1 Gröbner Bases Applied to SAT

Representations of All Solutions of Boolean Programming Problems

Chapter 2 Combinational Logic Circuits

Comp487/587 - Boolean Formulas

QuIDD-Optimised Quantum Algorithms

BDD Based Upon Shannon Expansion

Bounds on the OBDD-Size of Integer Multiplication via Universal Hashing

Complexity. Complexity Theory Lecture 3. Decidability and Complexity. Complexity Classes

Binary decision diagrams for security protocols

Tutorial 1: Modern SMT Solvers and Verification

Computation Tree Logic

Model Checking with CTL. Presented by Jason Simas

Database Theory VU , SS Complexity of Query Evaluation. Reinhard Pichler

Theoretical Foundations of the UML

The Separation Problem for Binary Decision Diagrams

Model Checking for Propositions CS477 Formal Software Dev Methods

Chapter 6: Computation Tree Logic

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

State-Space Exploration. Stavros Tripakis University of California, Berkeley

Safety and Liveness Properties

Lecture 21: Algebraic Computation Models

Reduced Ordered Binary Decision Diagram with Implied Literals: A New knowledge Compilation Approach

Chapter 2. Reductions and NP. 2.1 Reductions Continued The Satisfiability Problem (SAT) SAT 3SAT. CS 573: Algorithms, Fall 2013 August 29, 2013

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Exercises - Solutions

Overview. overview / 357

1 Circuit Complexity. CS 6743 Lecture 15 1 Fall Definitions

A Lower Bound Technique for Nondeterministic Graph-Driven Read-Once-Branching Programs and its Applications

COMPUTER SCIENCE TRIPOS

Symbolic Model Checking

1 First-order logic. 1 Syntax of first-order logic. 2 Semantics of first-order logic. 3 First-order logic queries. 2 First-order query evaluation

Multi-Terminal Multi-Valued Decision Diagrams for Characteristic Function Representing Cluster Decomposition

Algorithmic Model Theory SS 2016

Chapter 3 Deterministic planning

CSC 2429 Approaches to the P vs. NP Question and Related Complexity Questions Lecture 2: Switching Lemma, AC 0 Circuit Lower Bounds

More on NP and Reductions

Decision Diagrams for Discrete Optimization

A brief introduction to Logic. (slides from

LOGIC PROPOSITIONAL REASONING

EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization

Fault Collapsing in Digital Circuits Using Fast Fault Dominance and Equivalence Analysis with SSBDDs

Lecture 2: Symbolic Model Checking With SAT

DRAFT. Algebraic computation models. Chapter 14

Parallelism and Machine Models

On the Complexity of the Reflected Logic of Proofs

Quantified Boolean Formulas: Complexity and Expressiveness

Combinational Equivalence Checking using Boolean Satisfiability and Binary Decision Diagrams

Implementing Semantic Merging Operators using Binary Decision Diagrams

Propositional Logic: Evaluating the Formulas

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Section 4.1 Switching Algebra Symmetric Functions

Complexity Theory VU , SS The Polynomial Hierarchy. Reinhard Pichler

Outline. Complexity Theory EXACT TSP. The Class DP. Definition. Problem EXACT TSP. Complexity of EXACT TSP. Proposition VU 181.

Static Program Analysis

Abstractions and Decision Procedures for Effective Software Model Checking

Computational Boolean Algebra. Pingqiang Zhou ShanghaiTech University

02 Propositional Logic

Title. Citation Information Processing Letters, 112(16): Issue Date Doc URLhttp://hdl.handle.net/2115/ Type.

INTRODUCTION TO PREDICATE LOGIC HUTH AND RYAN 2.1, 2.2, 2.4

R u t c o r Research R e p o r t. Relations of Threshold and k-interval Boolean Functions. David Kronus a. RRR , April 2008

Computational Logic. Davide Martinenghi. Spring Free University of Bozen-Bolzano. Computational Logic Davide Martinenghi (1/30)

Petri nets. s 1 s 2. s 3 s 4. directed arcs.

Interleaved Alldifferent Constraints: CSP vs. SAT Approaches

Model Checking: An Introduction

Lecture 9 Synthesis of Reactive Control Protocols

Conjunctive Normal Form and SAT

Symbolic Counterexample Generation for Large Discrete-Time Markov Chains

A Symbolic Approach to the Analysis of Multi-Formalism Markov Reward Models

The quantum query complexity of read-many formulas

Preliminaries and Complexity Theory

Equalities and Uninterpreted Functions. Chapter 3. Decision Procedures. An Algorithmic Point of View. Revision 1.0

Hardware Equivalence & Property Verification

Quine s Fluted Fragment is Non-elementary

Transcription:

Symbolic Model Checking with ROBDDs Lecture #13 of Advanced Model Checking Joost-Pieter Katoen Lehrstuhl 2: Software Modeling & Verification E-mail: katoen@cs.rwth-aachen.de December 14, 2016 c JPK

Symbolic representation of transition systems let TS =(S,,I,AP,L) be a large finite transition system the set of actions is irrelevant here and has been omitted, i.e., S S For n log S, let injective function enc : S {0, 1 } n note: enc(s) ={0, 1} n is no restriction, as all elements { 0, 1 } n \ enc(s) can be treated as the encoding of pseudo states that are unreachable Identify the states s S = enc 1 ({ 0, 1 } n ) with enc(s) {0, 1} n And T S by its characteristic function χ T : { 0, 1 } n {0, 1 } that is χ T (enc(s)) = 1 if and only if s T And S S by the Boolean function :{ 0, 1 } 2n {0, 1 } such that ( enc(s), enc(s ) ) =1if and only if s s c JPK 1

Switching functions Let Var = {z 1,...,z m } be a finite set of Boolean variables An evaluation is a function η : Var {0, 1 } let Eval(z 1,...,z m ) denote the set of evaluations for z 1,...,z m shorthand [z 1 = b 1,...,z m = b m ] for η(z 1 )=b 1,...,η(z m )=b m f : Eval(Var) {0, 1 } is a switching function for Var = {z 1,...,z m } Logical operations and quantification are defined by: f 1 ( ) f 2 ( ) = min{ f 1 ( ),f 2 ( ) } f 1 ( ) f 2 ( ) = max{ f 1 ( ),f 2 ( ) } z. f( ) = f( ) z=0 f( ) z=1, and z. f( ) = f( ) z=0 f( ) z=1 c JPK 2

Ordered Binary Decision Diagram Let be a variable ordering for Var where z 1 <...< z m An -OBDD is a tuple B = (V,V I,V T, succ 0, succ 1, var, val,v 0 ) with afinitesetv of nodes, partitioned into V I (inner) and V T (terminals) and a distinguished root v 0 V successor functions succ 0, succ 1 : V I V such that each node v V \{v 0 } has at least one predecessor labeling functions var : V I Var and val : V T {0, 1 } satisfying v V I w {succ 0 (v), succ 1 (v) } V I var(v) < var(w) c JPK 3

Reduced OBDDs A -OBDD B is reduced if for every pair (v, w) of nodes in B: v w implies f v f w in -ROBDDs any -consistent cofactor is represented by exactly one node c JPK 4

Reducing OBDDs Generate an OBDD (or BDT) for a switching function, then reduce by means of a recursive descent over the OBDD Elimination of duplicate leafs for a duplicate 0-leaf (or 1-leaf), redirect all incoming edges to just one of them Elimination of don t care (non-leaf) vertices if succ 0 (v) =succ 1 (v) =w, delete v and redirect all its incoming edges to w Elimination of isomorphic sub-trees if v w are roots of isomorphic sub-trees, remove w and redirect all incoming edges to w to v note that the first reduction is a special case of the latter c JPK 5

Variable ordering ROBDDs are canonical for a fixed variable ordering the size of the ROBDD crucially depends on the variable ordering # nodes in ROBDD B = # of -consistent co-factors of f Some switching functions have linear and exponential ROBDDs e.g., the addition function, or the stable function Some switching functions only have polynomial ROBDDs this holds, e.g., for symmetric functions (see next) examples f(...)=x 1... x n,orf(...)=1iff k variables x i are true Some switching functions only have exponential ROBDDs this holds, e.g., for the middle bit of the multiplication function c JPK 6

The function stable with exponential ROBDD x 1 x 2 x 2 x 3 x 3 x 3 x 3 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 1 y 2 y 2 y 2 y 2 y 3 y 3 1 The ROBDD of f stab (x, y) =(x 1 y 1 )... (x n y n ) has 3 2 n 1 vertices under ordering x 1 <...<x n < y 1 <... < y n c JPK 7

The function stable with linear ROBDD x 1 y 1 y 1 x 2 y 2 y 2 x 3 y 3 y 3 1 The ROBDD of f stab (x, y) =(x 1 y 1 )... (x n y n ) has 3 n +2vertices under ordering x 1 < y 1 <... < x n < y n c JPK 8

Another function with an exponential ROBDD z 1 z 2 z 2 z 3 z 3 z 3 z 3 y 1 y 1 y 1 y 1 y 2 y 2 y 3 0 1 ROBDD for f 3 (z, y) = (z 1 y 1 ) (z 2 y 2 ) (z 3 y 3 ) for the variable ordering z 1 < z 2 < z 3 < y 1 < y 2 < y 3 c JPK 9

And an optimal linear ROBDD z 1 y 1 ROBDD for f 3 ( ) = (z 1 y 1 ) (z 2 y 2 ) (z 3 y 3 ) z 2 for ordering z 1 < y 1 < z 2 < y 2 < z 3 < y 3 y 2 z 3 as all variables are essential for f, thisrobddis optimal y 3 1 0 that is, for no variable ordering a smaller ROBDD exists c JPK 10

Symmetric functions f Eval(z 1,...,z m ) is symmetric if and only if f([z 1 = b 1,...,z m = b m ]) = f([z 1 = b i1,...,z m = b i m]) for each permutation (i 1,...,i m ) of (1,...,m) E.g.: z 1 z 2... z m, z 1 z 2... z m, the parity function, and the majority function If f is a symmetric function with m essential variables, then for each variable ordering the -ROBDD has size O(m 2 ) c JPK 11

The even parity function f even (x 1,...,x n )=1iff the number of variables x i with value 1 is even truth table or propositional formula for f even has exponential size but an ROBDD of linear size is possible c JPK 12

The multiplication function Consider two n-bit integers let b n 1 b n 2...b 0 and c n 1 c n 2...c 0 where b n 1 is the most significant bit, and b 0 the least significant bit Multiplication yields a 2n-bit integer the ROBDD B fn 1 has at least 1.09 n vertices where f n 1 denotes the (n 1)-st output bit of the multiplication c JPK 13

Optimal variable ordering The size of ROBDDs is dependent on the variable ordering Is it possible to determine such that the ROBDD has minimal size? to check whether a variable ordering is optimal is NP-hard polynomial reduction from the 3SAT problem [Bollig & Wegener, 1996] There are many switching functions with large ROBDDs for almost all switching functions the minimal size is in Ω( 2n n ) How to deal with this problem in practice? guess a variable ordering in advance rearrange the variable ordering during the ROBDD manipulations not necessary to test all n! orderings, best known algorithm in O(3 n n 2 ) c JPK 14

Variable swapping c JPK 15

Sifting algorithm Dynamic variable ordering using variable swapping: [Rudell, 1993] 1. Select a variable x i in OBDD at hand 2. Successively swap x i to determine size(b) at any position for x i 3. Shift x i to position for which size(b) is minimal 4. Go back to the first step until no improvement is made Characteristics: a variable may change position several times during a single sifting iteration often yields a local optimum, but works well in practice c JPK 16

Interleaved variable ordering Which variable ordering to use for transition relations? The interleaved variable ordering: for encodings x 1,...,x n and y 1,...,y n of state s and t respectively: x 1 <y 1 <x 2 <y 2 <...<x n <y n This variable ordering yields compact ROBDDs for binary relations for transition relation with z 1...z m be the encoding of action α, take: z 1 <z 2 <...<z m }{{} encoding of α < x 1 <y 1 <x 2 <y 2 <... < x n <y n }{{} interleaved order of states c JPK 17

Symbolic model checking Take a symbolic representation of a transition system ( and χ B ) Backward reachability Pre (B) ={ s S s = B } Initially: f 0 = χ B characterizes the set T 0 = B Then, successively compute the functions f j+1 = χ Tj+1 for: T j+1 = T j {s S s S. s Post(s) s T j } Second set is given by: x. ( (x, x ) }{{} s Post(s) f j (x ) ) }{{} s T j f j (x ) arises from f j by renaming the variables x i into their primed copies x i c JPK 18

Symbolic computation of Sat( (C U B)) f 0 (x) :=χ B (x); j := 0; repeat f j+1 (x) :=f j (x) ( χ C (x) x. ( (x, x ) f j (x )) ) ; j := j +1 until f j (x) =f j 1 (x); return f j (x). c JPK 19

Symbolic computation of Sat( B) Compute the largest set T B withpost(t) T for all t T Take T 0 = B and T j+1 = T j {s S s S. s Post(s) s T j } Symbolically this amounts to: f 0 (x) :=χ B (x); j := 0; repeat f j+1 (x) :=f j (x) x. ( (x, x ) f j (x )); j := j +1 until f j (x) =f j 1 (x); return f j (x). Symbolic model checkers mostly use ROBDDs to represent switching functions c JPK 20

Synthesis of ROBDDs Construct a -ROBDD for f 1 op f 2 given -ROBDDs for f 1 and f 2 where op is a Boolean connective such as disjunction, implication, etc. Idea: use a single ROBDD with (global) variable ordering to represent several switching functions This yields a shared OBDD, which is: a combination of several ROBDDs with variable ordering by sharing nodes for common -consistent cofactors The size of -SOBDD B for functions f 1,...,f k is at most N f1 +...+ N fk where N f denotes the size of the -ROBDD for f c JPK 21

Shared OBDDs A shared -OBDD is an OBDD with multiple roots 0 1 Shared OBDD representing } z 1 z {{} 2, }{{} z 2, z } 1 {{ z } 2 and } z 1{{ z } 2 f 1 f 2 f 3 Main underlying idea: combine several OBDDs with same variable ordering such that common -consistent co-factors are shared f 4 c JPK 22

Using shared OBDDs for model checking Φ Use a single SOBDD for: (x, x ) for the transition relation f a (x), a AP, for the satisfaction sets of the atomic propositions The satisfaction sets Sat(Ψ) for every state sub-formula Ψ of Φ In practice, often the interleaved variable order for is used. c JPK 23

Relies on the use of two tables The unique table Synthesizing shared ROBDDs keeps track of ROBDD nodes that already have been created table entry var(v), succ 1 (v), succ 0 (v) for each inner node v main operation: find or add(z,v 1,v 0 ) with v 1 v 0 return v if there exists a node v = z,v 1,v 0 in the ROBDD if not, create a new z -node v with succ 0 (v) =v 0 and succ 1 (v) =v 1 implemented using hash functions (expected access time is O(1)) The computed table keeps track of tuples for which ITE has been executed (memoization) realizes a kind of dynamic programming c JPK 24

ITE normal form The ITE (if-then-else) operator: ITE(g, f 1,f 2 ) = (g f 1 ) ( g f 2 ) The ITE operator and the representation of the SOBDD nodes in the unique table: f v ( ) = ITE z, f succ1 (v),f succ 0 (v) Then: f = ITE(f, 0, 1) f 1 f 2 = ITE(f 1, 1,f 2 ) f 1 f 2 = ITE(f 1,f 2, 0) f 1 f 2 = ITE(f 1, f 2,f 2 ) = ITE(f 1, ITE(f 2, 0, 1),f 2 ) If g, f 1,f 2 are switching functions for Var, z Var and b {0, 1}, then ITE(g, f 1,f 2 ) z=b = ITE(g z=b,f 1 z=b,f 2 z=b ) c JPK 25

ITE-operator on shared OBDDs A node in a -SOBDD for representing ITE(g, f 1,f 2 ) is a node w with info z,w 1,w 0 where: z is the minimal (wrt. ) essential variable of ITE(g, f 1,f 2 ) w b is an SOBDD-node with f wb = ITE(g z=b,f 1 z=b,f 2 z=b ) This suggests a recursive algorithm: determine z recursively compute the nodes for ITE for the cofactors of g, f 1 and f 2 c JPK 26

ITE(u, v 1,v 2 ) on shared OBDDs (initial version) if u is terminal then if val(u) =1then w := v 1 (* ITE(1,f v1,f v2 ) = f v1 *) else w := v 2 (* ITE(0,f v1,f v2 ) = f v2 *) fi else z := min{var(u), var(v 1 ), var(v 2 )}; (* minimal essential variable *) w 1 := ITE(u z=1,v 1 z=1,v 2 z=1 ); w 0 := ITE(u z=0,v 1 z=0,v 2 z=0 ); if w 0 = w 1 then w := w 1 ; (* elimination rule *) else w := find or add(z, w 1,w 0 ); (* isomorphism rule *) fi fi return w c JPK 27

ROBDD size under ITE Thesizeofthe -ROBDD for ITE(g, f 1,f 2 ) is bounded by N g N f1 N f2 where N f denotes the size of the -ROBDD for f for some ITE-functions optimisations are possible, e.g., f g c JPK 28

ROBDD size under ITE Thesizeofthe -ROBDD for ITE(g, f 1,f 2 ) is bounded by N g N f1 N f2 where N f denotes the size of the -ROBDD for f Problem: for multiple paths from (u, v 1,v 2 ) to (u,v 1,v 2 ) multiple invocations of ITE(u,v 1,v 2 ) occur. Store triples (u, v 1,v 2 ) for which ITE already has been computed c JPK 29

Efficiency improvement by memoization if there is an entry for (u, v 1,v 2,w) in the computed table then return node w else if u is terminal then if val(u) =1then w := v 1 else w := v 2 fi else z := min{var(u), var(v 1 ), var(v 2 )}; w 1 := ITE(u z=1,v 1 z=1,v 2 z=1 ); w 0 := ITE(u z=0,v 1 z=0,v 2 z=0 ); if w 0 = w 1 then w := w 1 else w := find or add(z, w 1,w 0 ) fi; insert (u, v 1,v 2,w) in the computed table; return node w fi fi The number of recursive calls for the nodes u, v 1,v 2 equals the -ROBDD size of ITE(f u,f v1,f v2 ), which is bounded by N u N v1 N v2 c JPK 30

Some experimental results Traffic alert and collision avoidance system (TCAS) (1998) 277 boolean variables, reachable state space is about 9.610 56 states B = 124, 618 vertices (about 7.1 MB), construction time 46.6 sec checking (p q) takes 290 sec and 717,000 BDD vertices Synchronous pipeline circuit (1992) pipeline with 12 bits: reachable state space of 1.510 29 states checking safety property takes about 10 4 10 5 sec B is linear in data path width verification of 32 bits (about 10 120 states): 1h 25m using partitioned transition relations c JPK 31

Compositionality and ROBDDs c JPK 32

Zero-suppressed BDDs Some other types of BDDs like ROBDDs, but non-terminals whose 1-child is leaf 0 are omitted Parity BDDs like ROBDDs, but non-terminals may be labeled with ; no canonical form Edge-valued BDDs Multi-terminal BDDs (or: algebraic BDDs) like ROBDDs, but terminals have values in R, orn, etc. Binary moment diagrams (BMD) generalization of ROBDD to linear functions over bool, int and real uses edge weights c JPK 33

Further reading R. Bryant: Graph-based algorithms for Boolean function manipulation, 1986 R. Bryant: Symbolic boolean manipulation with OBDDs, Computing Surveys, 1992 M. Huth and M. Ryan: Binary decision diagrams, Ch 6 of book on Logics, 1999 H.R. Andersen: Introduction to BDDs, Tech Rep, 1994 K. McMillan: Symbolic model checking, 1992 Rudell: Dynamic variable reordering for OBDDs, 1993 Advanced reading: Ch. Meinel & Th. Theobald (Springer 1998) c JPK 34

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback