Implicit and explicit exploration of the reachable state space of Esterel logical circuits

1
Implicit and explicit explorationof the
reachable state spaceof Esterel logical circuits
PhD Defense
Yannis BRES
Advisor Gérard BERRY
December 12th, 2002
2
Outline
Introduction
Context of this work, the reactive synchronous
approach, Esterel, automata and circuits,
reachable state space computation, BDDs
I Pure implicit approach
A formal verifier offering variable inputization
or abstraction
II Enumerative approach
A versatile engine for the exploration of
reachable state spaces
Automaton generation
Formal verification
Exhaustive test sequence generation
Conclusions and future prospects
3
The reactive synchronous approach
Reactive programs
Execution split in reactions (instants), time is
discrete
Environment analysis then reaction to this
environment
Synchronous programs
Theoretical simplification reaction duration is
0, instantaneous broadcast
Broad application domain
Real-time systems
Control/supervision of industrial processes
Embedded systems
Physical controlers

Based upon the semantic model of Finite State
Machines (FSMs)
4
Esterel
A reactive synchronous imperative language with
control-flow dominance
Modules/blocks run in parallel or sequentially
Modules/blocks can be preempted, suspended and
resumed
Communication performed through instantaneously
broadcast signals
Formal semantics
module Synchronize input A, B output O
await A await B emit O end module
5
Explicit automata
Central design representation in Esterel v1, v2,
v3 automata
Automata can be exponentials both
? in construction time
? in storage space
module Synchronize input A, B output O
await A await B emit O end module
6
Circuits
Central design representation since Esterel v4
logical circuits
Generation time and storage space are linear with
respect to source code size
7
Automata vs. Circuits
Let's add a C signal in the previous program
8
Automata vs. Circuits
Let's add a C signal in the previous program
9
Formal verification by observers
module Synchronize input A, B output O
await A await B emit O end module
abort await O emit BUG when A

Observers run in parallel with the program to be
verified
Answer formally to the question "can BUG ever be
emitted?"
Safety properties
"something wrong never occurs"
Safety properties
"something good will occur sooner or later"
10
Reachable state space computation
Cornerstone of numerous applications
reachable statespace computation(RSS)
11
Reachable state space computation
"Onion" representation, by depth level
Initial state
States reachable in 1 tick
States reachable in 2 ticks
States reachable in 3 ticks

Several approaches to RSS computation
12
Binary Decision Diagrams (BDDs)
Variable ordering is constant within the whole
tree (here x1 lt y1 lt x2 lt y2)
Variable node (x1, x2, y1, y2)
"When false" path
Terminal node (0 or 1 constants)
"When true" path
x1
(x1 ? y1) ? (x2 ? y2)
y1
y1
x2
x2
x2
x2
y2
y2
y2
y2
y2
y2
y2
y2
1
0
0
1
0
0
0
0
0
0
0
0
1
0
0
1
13
Binary Decision Diagrams (BDDs)
Several simplification rules
1)
Useless tests are removed
x1
(x1 ? y1) ? (x2 ? y2)
y1
y1
x2
x2
x2
x2
0
y2
y2
y2
y2
y2
y2
y2
y2
1
0
0
1
0
0
0
0
0
0
0
0
1
0
0
1
14
Binary Decision Diagrams (BDDs)
Several simplification rules
1)
Useless tests are removed
2)
Isomorph nodes/trees are shared
x1
(x1 ? y1) ? (x2 ? y2)
y1
y1
x2
x2
0
0
y2
y2
y2
y2
1
0
0
1
1
0
0
1
15
Binary Decision Diagrams (BDDs)
Several simplification rules
1)
Useless tests are removed
2)
Isomorph nodes/trees are shared
3)
Edges are tagged in order to share opposite nodes
(not shown here)
x1
(x1 ? y1) ? (x2 ? y2)
y1
y1
x2
x2
x2
x2
y2
y2
y2
y2
y2
y2
y2
y2
1
0
0
1
0
0
0
0
0
0
0
0
0
1
1
0
16
Binary Decision Diagrams (BDDs)
In most cases
A very compact representation of boolean functions
Very efficient algorithms for boolean function
manipulations
Uses
Representation of functions associated to circuit
gates
Representation of sets through their
caracteristic function
Worst-case complexities in both time and space
17
Reachable state space computation using BDDs
Exponentially complex wrt the number of involved
variables
1 BBD variable per input
Intermediate variable must be ?, doesn't appear
in results
1 BDD variable per state variables
(register/latch)
Persistent variable must be ?, appears in results
? Goal reducing the number of state variables!
18
Outline
Introduction
Context of this work, the reactive synchronous
approach, Esterel, automata and circuits,
reachable state space computation, BDDs
I Pure implicit approach
A formal verifier offering variable inputization
or abstraction
II Enumerative approach
A versatile engine for the exploration of
reachable state spaces
Automaton generation
Formal verification
Exhaustive test sequence generation
Conclusions and future prospects
19
Reducing the number of variables
A usual technique for state variable number
reduction
Turn state variables into free inputs
(inputization)

Less variables to substitute

As many variables to ?
Our approach abstract variables using a
ternary-valued logic (0,1,d)
Variables to be abstracted are replaced by the
constant d (indifferent)

Less variables to substitute

Less variables to ?
Abstracted variables are pre-quantified
Ternary-valued logic (0,1,d)
20
Inputization and abstraction example
input A, B output O await A await B
emit O
inputization
abstraction
21
Over-approximation
Both inputization and abstraction weakens
contraints between variables
?
Conservative over-approximation with respect to
the RSS
?
Formal verif. no erroneous validation, only
erroneous refutations
?
"Snowball effect"

Inputization maintains correlation between
variable instances
r ? ?r ? i ? ?i 0
r ? ?r ? i ? ?i 1
-
Abstraction loses correlation between variable
instances
r ? ?r ? d ? ?d d
r ? ?r ? d ? ?d d
22
Over-approximation
Both inputization and abstraction weakens
contraints between variables
?
Conservative over-approximation with respect to
the RSS
?
Formal verif. no erroneous validation, only
erroneous refutations
?
"Snowball effect"

Inputization maintains correlation between
variable instances
r ? ?r ? i ? ?i 0
r ? ?r ? i ? ?i 1
-
Abstraction lose correlation between variable
instances
r ? ?r ? d ? ?d d
r ? ?r ? d ? ?d d
-
Additional source of over-approximation within
the RSS computation when using a ternary-valued
logic set widening
23
The Esterel selection tree
await I1 do something await I2 do
something await I3 do something
await I4 do something
1

2
?
3

4
24
Our formal verifier evcl
Esterel Verification Command Line
Main functionalities
Variable inputization and abstraction
Over-approximation reduction using structural
informations
White-box (integrated observers) / Black-box
(external observers)

gt 30 000 lines of C (and gt 21 000 lines of
shared libraries)
Experimentations
(Mirage 2000-9 fuel management system, A380
warning system)
Abstraction can be up to 26 times faster than
inputization
When over-approximation races out of control,
computations stop quickly
? Nothing to lose in trying it!
25
Outline
Introduction
Context of this work, the reactive synchronous
approach, Esterel, automata and circuits,
reachable state space computation, BDDs
I Pure implicit approach
A formal verifier offering variable inputization
or abstraction
II Enumerative approach
A versatile engine for the exploration of
reachable state spaces
Automaton generation
Formal verification
Exhaustive test sequence generation
Conclusions and future prospects
26
Reachable state space computation
"Onion" representation, by depth level
Initial state
States reachable in 1 tick
States reachable in 2 ticks
States reachable in 3 ticks

Several approaches to RSS computation
27
Enumerative RSS computation
A versatile engine for the exploration of
reachable state spaces
Automaton generation
Formal verification
Exhaustive test sequence generation
States are individually analysed by propagating
information within the circuit
Pure explicit approach
Transitions analysed through recursive branchings
on inputs
Hybrid implicit/explicit approach
Transitions analysed through BDD propagations
Transparent support for (constructive) cyclic
circuits
Several heuristics aiming at avoiding time or
space explosion
? Very good performances
gt 18 000 lines of C (and gt 21 000 lines of
shared libraries)
28
Automaton generation
Central design representation in Esterel v1, v2,
v3 automata
Risk of explosion in both time and space
Central design representation since Esterel v4
logical circuits
Basically linear wrt source code in both
generation time and storage space
Automaton generation has been neglected since v4
v4 generator had very bad performances
v4 generator could not handle cyclic circuits

Advantages of automata remain!
Usually a very efficient implementation
A maximum of the control flow is computed at
compilation time
Only data-dependent expressions remain to be
evaluated at run time
Automata explicit numerous informations
concerning designs
29
Automaton generation
How to generate an automaton?
Enumerative approach practicaly unavoidable
(for the respect of action causality)
Pure explicit approach better than hybrid approach
(too much BDD cofactorisations are required)
Our automaton generator, scoc
By far more efficient than the v4 generator
Integrated into the Esterel compiler since v5_91
From now on marketed by Esterel Technologies Inc.
30
Application to formal verification
Pure implicit approach unavoidable for most
designs
Pure implicit approach drawbacks
Behaviour difficult to foresee, risks of explosion
Can only be applied to acyclic circuits
Very sensitive to redundant registers
Enumerative approach pros
Behaviour usually very steady
Transparent support for cyclic circuits
Non-sensitive to redundant registers or design
depth
Usually a lot much slower, can only be used in
precise cases
Deep designs (SAT ? ?)
Designs with numerous redundant registers (BDDs ?
?)
31
Formal verification experimentations
Purely linear testbench (depth 243 states 243)
Texas Instruments data bus (depth 181 states
652 948)
32
Generation of exhaustive test sequences
Finite State Machine semantic model
? Generation of exhaustive tests sequences is
feasible
Different coverage goals
State coverage
Coverage of pathes leading to specific signals
emission
Transition coverage

33
Generation of exhaustive test sequences
Esterel Technologies approach pure implicit
Standard RSS computation (except for transition
coverage)
Transitions are built by reverse image
computations
Coverage data updates ? BDD updates
Complete transition coverage not implemented
Only connected state pairs are connected
Number of state variables is doubled
Enumerative approach is more suited and not
sensitive to coverage goal
34
State coverage Experimentations
35
Conclusions
A formal verification tool based on pure implicit
approach
Variables can be replaced by free inputs
Variables can be abstracted using a
ternary-valued logic
Over-approximation reduction using structural
information
White/Black box verification

An engine for the exploration of reachable state
spaces
Enumerative analysis of states
Explicit or implicit analysis of transitions
Versatile
Automaton generation
Formal verification
Generation of exhaustive test sequences
36
Future prospects
Implicit approach
Automate the selection of variables to
inputize/abstract
Variable weighting heuristics of Quer/Cabodi et
al. ?
In case of excessive over-approximation, refine
abstraction
Counter-example analysis of Clarke/Grumberg et al.
Combine variable abstraction and RSS computation
decomposition
Cho/Govidaraju et al. approaches

Enumerative approach
Compact the known state table
Bitstate hashing of Holzmann, hash compaction of
Stern/Dill et al.
State analysis prioritization (bug chasing)
Yang/Dill et al.