On Partitioning and Symbolic Model Checking FM 2005

1
On Partitioning and Symbolic Model CheckingFM
2005

• Subramanian Iyer, UT-Austin
• Debashis Sahoo, Stanford
• E. Allen Emerson, UT-Austin
• Jawahar Jain, Fujitsu Labs

2
Outline

• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Experiments and Conclusion

3
Outline

• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Experiments and Conclusion

4
Sequential Verification

• Does Implementation fullfil its Specification?
• Model Checking
• State Based
• Given System under test
• Prove properties given in a temporal logic (eg
  CTL, LTL)
• Required for Model Checking
• Input Data Transition relation
• Generated Reachable states, Forbidden states
• Procedures Boolean Operations, Image Computation

5
Reachability Analysis
Algorithm
Simple property
2n
FromReachedS0 do To Img(TR,From) New To
\ Reached Reached Reached To From
New while(New ? Ø )

• C

• D

6
Model Checking

• Hinges on Reachability
• Basic Operation Pre-image
• In Simple terms
• Given bad formula f
• Compute reachable states
• Compute states satisfying f
• Pass if intersection is empty
• Key issues State set generation and
  representation
• Extensional, as originally proposed.
• Symbolic, as now practiced

7
Ordered Binary Decision Diagrams

• BDDs with
• read-once property
• fixed Variable order
• The restrictions guarantee
• Canonicity
• efficient Algorithms for Boolean Operations,
  Tautology, SAT and Equivalence check
• Disadvantage
• Blow-Up possible

• The minimizing problem
• better BDD Types (?)
• Transformations (?)
• Variable- Reordering
• Local Search Sifting

8
Symbolic Model Checking

• Using BDDs to represent sets of states
• Key operation is image computation
• Using transition relation
• Necessary to succinctly represent the transition
  relation
• What is the problem?

9
The Bottleneck in Verification

• State-based verification, model checking
• Can be fully automated in principle
• Why not in practice?
• State space representation
• Symbolically manifests as BDD blowup
• Limits extent of automation
• Limits size of designs that can be handled
• Capacity is restricted by representation size
• Memory restricts time
• BDD based tools crash or thrash
• So What can be done?

10
Outline

• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Experiments and Conclusion

11
Partitioned Transition Relation

• Represented as conjunction of k parts TRi
• Easy to construct for synchronous circuits
• Conjunction of bitwise TRis the transition
  function of each state variable
• Set of variables partitioned into k disjoint
  subsets
• Transition functions for variables in each subset
  are conjuncted together to give TRi
• TR is the implicit conjunction of TRi for i in 1
  to k

12
Partitioned TR (Contd)

• Basis of reachable states computation
• Partitioned TR

TRj
Cluster of ROBDDs
Monolithic ROBDD
13
Image Computation

• The image computation step
• Partitioned TR useful due to early
  quantification (AndExist)
• Choice and order of TRjs is crucial for a good
  performance!

Img(TR,A) x( TR(x,y)? A(x))
Img(TR,A) xn( TRn? ...? x2( TR2? x1( TR1?
A)))...)
14
Partitioned TR - Observations

• What is it that is partitioned?
• The set of variables
• The relation
• Actual TR is an implicit conjunction
• Sets of states always ROBDD
• During image computation
• Before and After image computation

15
So What?

• Sets of states as ROBDDs
• Can get very large
• TR parts repeatedly conjuncted
• During each image
• Made easier combined with quantification
• Still repeated expense
• Solution Partition all state-sets

16
Partitioned ROBDD (POBDD)
Given the Boolean Function
Xf is its partitioned-ROBDD representation if,
where
and
are ROBDDs with variable ordering pi, and,
w2
w1
Each wi is called a window function
Note that the ROBDDs in each partition may have a
different variables ordering pi
w4
w3
17
A simple example

• f c (a1b1 a2b2) c (a1a2 b1b2 )
• w1 c
• w2 c
• f1 c (a1b1 a2b2)
• f2 c (a1a2 b1b2 )

f2
f1
c
c
?
?
?
?
a1
a1
a2
b1
b1
a2
b2
b2
1
1
0
0
?2 c, a1, a2, b1, b2
?1 c, a1, b1, a2, b2
18
On Using Partitioning

• Sets of states disjunctively partitioned
• Key Use same partitioning windows
• In particular, set of reachable states
• Induces disjunctive partitioning on TR
• TR is a Relation on state pairs Quadratic
• Notice each such TRij can further be
• Monolithic, Disjunctive, or Conjunctive
• Image computation
• Must consider to and from set in each partition

19
Reachability Revisited
Old Algorithm
FromReachedS0 do To Img(TR,From) New To
\ Reached Reached To From New while(New ?
Ø )
Notice that From is now partitioned TR applied to
Fromi of partition i, result Toi is also
partitioned So Toij is owned by partition j Must
be given to j. Quadratic such transfers!
20
Image and Reachability

• Fix point computations performed
• On each partition locally Using TRii
• Use reachability algorithm on ROBDDs
• Synchronization between partitions
• Cross-over images finds states use TRij , .
• Must keep it infrequent
• Postponed till local fixpoint reached

21
Reachability Example Initial set
22
Local Fix Point
23
Cross-over images
w2
T12
w1
R1
T14
T13
I3(x)
w3
w4
24
Another Local Fix point
25
More Cross over images
26
Example, cont.
27
Outline

• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Experiments and Conclusion

28
CTL temporal properties

• EX(f), E(fUg), EG(f) form a basis set
• Invariant Checking AGp
• Absence of Deadlock
• Return to reset state AGEF(s0)
• Temporal Implication AG(p ? EF q)
• Liveness EGp, AFp

29
Outline

• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Experiments and Conclusion

30
Image Computation EXp

• forall (partitions j)
• forall (partitions k)
• PreImg_jk(s) ?s',iTRjk(s, s', i) ? pk(s')
• reorder BDD PreImgjk from part order k to j
• end for
• Sj ?k PreImgjk
• end for
• output S

31
Least Fix Point E(pUq)

• S q , S.old NULL
• repeat
• S.old S
• temp computeEX(S)
• forall (partitions j)
• Sj qj ? (pj ? tempj)
• end for
• until(S S.old)
• output S

32
Greatest Fix Point EGp

• S p
• repeat
• S.old S
• temp computeEX(S)
• forall (partitions j)
• Sj pj ? tempj
• end for
• until(S S.old)
• output S

33
Whats the problem?

• Image computation has two parts
• Transitions local to a partition (ij)
• Transitions Crossing over partitions (iltgtj)
• Cross-over images are expensive!
• Get BDDs, maybe from disk
• Store BDDs, maybe over network
• Reorder large BDDs
• The classical algorithm does one set of
  cross-over image during each EX.

34
Outline

• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Experiments and Conclusion

35
Least Fix Point E(pUq)

• S q, S.old NULL
• repeat
• S.old S
• forall (partitions j)
• repeat
• Sj .old Sj
• Sj Sj ? (pj ? EXl(Sj , j))
  under-approximate
• until(Sj Sj .old)
• end for
• S S ? (p ? EXc(S)) add
  missing states
• until(S S.old)
• output S

36
Greatest Fix Point EGp

• S p
• Border p ? EXc(S)
  candidate set
• repeat
• S.old S
• forall (partitions j)
• repeat
• Sj .old Sj
• Sj pj ? (EXl(Sj , j) ? Borderj) over-approx
• until(Sj Sj .old)
• end for
• Border p ? EXc(S)
  prune states
• until(S S.old)
• output S

37
Outline

• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Experiments and Conclusion

38
VIS Verilog benchmarks
Ckt C/O Old C/O New C/O Time old C/O Time new Total M/C time old Total M/C time new
S1269 8 8 67 1 93 1
Soap 53 5 592 1 714 28
Ghg 9367 6 166 .15 280 27
Sppint 16 6 4 1 24 2
Gcd 15 7 19 .7 69 108
39
Conclusions

• Assuming a model where cross-over images are
  very expensive, the proposed algorithm
• Is no worse than the classical algorithm
• Converges faster, empirically, in terms of
• Number of cross-over images
• Time spent in cross-over images
• Reduces total model checking time
• Often quite significantly
• Is good for parallel model checking