Semantics & Verification Lecture 14 Gerd Behrmann Outline of - - PowerPoint PPT Presentation

semantics verification
SMART_READER_LITE
LIVE PREVIEW

Semantics & Verification Lecture 14 Gerd Behrmann Outline of - - PowerPoint PPT Presentation

Dec 16, 2023 347 likes •785 views

Semantics & Verification Lecture 14 Gerd Behrmann Outline of remaining lectures Lecture 9: Modelling real time system Lecture 10: More on Uppaal + mini projects Lecture 11: Mini projects Lecture 12: Verification of timed

slide-1
SLIDE 1

Semantics & Verification

Lecture 14

Gerd Behrmann

slide-2
SLIDE 2

Outline of remaining lectures

  • Lecture 9: Modelling real time system
  • Lecture 10: More on Uppaal + mini projects
  • Lecture 11: Mini projects
  • Lecture 12: Verification of timed automata
  • Lecture 13: Binary Decision Diagrams
  • Lecture 14: Using BDDs for the purpose of verification
  • Lecture 15: Round-up of course
slide-3
SLIDE 3

ROBDDs formally

slide-4
SLIDE 4

Reduced Ordered Binary Decision Diagrams

Iben

Edges to 0 implicit

slide-5
SLIDE 5

Ordering does matter!

Variable ordering

slide-6
SLIDE 6

Canonicity of ROBDDs

slide-7
SLIDE 7

BUILD

Run time?

t t t t t t t

slide-8
SLIDE 8

APPLY operation

slide-9
SLIDE 9

APPLY example

slide-10
SLIDE 10

Other operations

slide-11
SLIDE 11

ROBDDs and Verification

[…,McMillan’90,…..,VVS]

slide-12
SLIDE 12

ROBDD encoding of transition system

00 10 01 11

Trans(x1,x2,y1,y2):= !x1 & !x2 & !y1 & y2 + !x1 & !x2 & y1 & y2 + x1 & !x2 & !y1 & y2 + x1 & !x2 & y1 & y2 + x1 & x2 & y1 & !y2;

Encoding of states using binary variables (here x1 and x2). Encoding of transition relation using source and target variables (here x1, x2, y1, and y2)

slide-13
SLIDE 13

ROBDD representation (cont.)

Trans(x1,x2,y1,y2):= !x1 & !x2 & !y1 & y2 + !x1 & !x2 & y1 & y2 + x1 & !x2 & !y1 & y2 + x1 & !x2 & y1 & y2 + x1 & x2 & y1 & !y2;

00 10 01 11

slide-14
SLIDE 14

ROBDD for parallel composition

00 10 01 11 00 10 01 11

Trans(x,y,u,v) =

(ATrans(x,y) & v=u)

+ (BTrans(u,v) & y=x)

ATrans(x,y) BTrans(u,v)

Asynchronous composition Synchronous composition

Trans(x,y,u,v) = (ATrans(x,y) & BTrans(u,v))

Which ordering to choose?

slide-15
SLIDE 15

Ordering?

23 nodes x1,x2,y1,y2,u1,u2,v1,v2 45 nodes x1,x2,u1,u2, y1,y2 ,v1,v2 20 nodes x1,y1,x2,y2,u1,v1,u2,v2

Polynomial size BDDs guaranteed in size of argument BDDs [Enders,Filkorn, Taubner’91]

slide-16
SLIDE 16

Making the transition relation total

00 10 01 11 00 10 01 11

ATrans(x,y) BTrans(u,v)

slide-17
SLIDE 17

Making the transition relation total

00 10 01 11 00 10 01 11

ATrans(x,y) BTrans(u,v)

ATrans' x , y=loopsx , yATransx , y

loopsx , y=¬∃ y. ATransx , y∧x=y

slide-18
SLIDE 18

Reachable States

Reach(x) := Init(x); REPEAT Old(x) := Reach(x); New(y) := Exists x.(Reach(x) & Trans(x,y)); Reach(x) := Old(x) + New(x) UNTIL Old(x) = Reach(x)

00 10 01 11 Reach0 Reach1 Reach2 Reach1 Relational Product: May be constructed without building intermediate (often large) &-BDD.

image computation frontier

slide-19
SLIDE 19

Backwards reachability

Reach(x) := Goal(x); REPEAT Old(x) := Reach(x); New(y) := Exists y.(Goal(y) & Trans(x,y)); Reach(x) := Old(x) + New(x) UNTIL Old(x) = Reach(x)

00 10 01 11

Goal Reach1 Reach2

preimage computation

slide-20
SLIDE 20

A MUTEX Algorithm

Clarke & Emerson

P1 :: while True do T1 : wait(turn=1) C1 : turn:=0 endwhile || P2 :: while True do T2 : wait(turn=0) C2 : turn:=1 endwhile Mutual Exclusion Program

slide-21
SLIDE 21

Global Transition System

I1 I2 t=0 T1 I2 t=0 T1 T2 t=0 I1 T2 t=0 I1 C2 t=0 T1 C2 t=0 C1 I2 t=1 T1 T2 t=1 C1 T2 t=1 T1 I2 t=1 I1 T2 t=1 I1 I2 t=1

slide-22
SLIDE 22

A MUTEX Algorithm

Clarke & Emerson

vars x1 x2; vars y1 y2; vars u1 u2; vars v1 v2; vars t s; ATrans := (!x1 & !x2 & !y1 & y2 & (s=t)) + (!x1 & x2 & !y1 & y2 & !t & !s) + (!x1 & x2 & y1 & !y2 & t & s) + (x1 & !x2 & !y1 & !y2 & !s); BTrans := (!u1 & !u2 & !v1 & v2 & (s=t)) + (!u1 & u2 & !v1 & v2 & t & s) + (!u1 & u2 & v1 & !v2 & !t & !s) + (u1 & !u2 & !v1 & !v2 & s); TT := (ATrans & (u1=v1) & (u2=v2)) + (BTrans & (x1=y1) & (x2=y2));

00 01 10

slide-23
SLIDE 23

BDDs for Transition Relations

ATrans TT

slide-24
SLIDE 24

Reachable States

Reach(x) := Init(x); REPEAT Old(x) := Reach(x); New(y) := Exists x.(Reach(x) & Trans(x,y)); Reach(x) := Old(x) + New(x) UNTIL Old(x) = Reach(x)

slide-25
SLIDE 25

Reachable States

Reach(x) := Init(x); REPEAT Old(x) := Reach(x); New(y) := Exists x.(Reach(x) & Trans(x,y)); Reach(x) := Old(x) + New(x) UNTIL Old(x) = Reach(x)

slide-26
SLIDE 26

Reachable States

Reach(x) := Init(x); REPEAT Old(x) := Reach(x); New(y) := Exists x.(Reach(x) & Trans(x,y)); Reach(x) := Old(x) + New(x) UNTIL Old(x) = Reach(x)

Reach Reach & x1 & !x2 & u1 & !u2 MUTEX ?

slide-27
SLIDE 27

Bisimulation

00 10 01 11 00 10 01 11

Bis(x,u):= 1; REPEAT Old(x,u) := Bis(x,u); Bis(x,u) := Forall y. Trans(x,y) => (Exists v. Trans(u,v) & Bis(y,v)) & Forall v. Trans(u,v) => (Exists y. Trans(x,y) & Bis(y,v)); UNTIL Bis(x,u)=Old(x,u)

vars x (y) vars u (v)

slide-28
SLIDE 28

Bisimulation (cont.)

00 10 01 11

3 equivalence classes = 6 pairs in final bisimulation Bis0 Bis1 Bis2

slide-29
SLIDE 29

Model Checking

p p q p,q

1 3 2

vars x1 x2; vars y1 y2; Trans(x1,x2,y1,y2) := !x1 & !x2 & !y1 & y2 + !x1 & !x2 & y1 & y2 + ………… ; P(x1,x2) := !x1 & !x2 + !x1 & x2 + x1 & !x2; Q(x1,x2) := ……… ;

slide-30
SLIDE 30

Model Checking

<>P

Exists y1,y2. Trans(x1,x2,y1,y2) & P(y1,y2); p p q p,q

1 3 2

slide-31
SLIDE 31

Model Checking

<>P

Exists y1,y2. Trans(x1,x2,y1,y2) & P(y1,y2); p p q p,q

1 3 2

slide-32
SLIDE 32

Model Checking

[]P

Forall y1,y2. Trans(x1,x2,y1,y2) => P(y1,y2); p p q p,q

1 3 2

slide-33
SLIDE 33

Model Checking

[]P

Forall y1,y2. Trans(x1,x2,y1,y2) => P(y1,y2); p p q p,q

1 3 2

slide-34
SLIDE 34

Model Checking

p p q p,q

1 3 2

ALWAYS P

A(x1,x2) = P(x1,x2) & Forall y1,y2. Trans(x1,x2,y1,y2) => A(y1,y2); max fixpoint

slide-35
SLIDE 35

Model Checking

ALWAYS P

A(x1,x2) = P(X1,x2) & Forall y1,y2. Trans(x1,x2,y1,y2) => A(y1,y2); max fixpoint p p q p,q

1 3 2

slide-36
SLIDE 36

Model Checking

P UNTIL Q

U(x1,x2) = Q(X1,x2) + { P(x1,x2) & Forall y1,y2. Trans(x1,x2,y1,y2) => U(y1,y2) }; min fixpoint p p q p,q

1 3 2

slide-37
SLIDE 37

Model Checking

P UNTIL Q

U(x1,x2) = Q(X1,x2) + { P(x1,x2) & Forall y1,y2. Trans(x1,x2,y1,y2) => U(y1,y2) }; min fixpoint p p q p,q

1 3 2

p p q p,q

1 3 2

slide-38
SLIDE 38

Partitioned Transition Relation

T(xy,uv) =

(ATrans(x,y) & v=u)

+ (BTrans(u,v) & y=x) T(xy,uv) = ATrans(x,y) & BTrans(u,v)

Exists yv. (T(xu,yv) & S(yv))

Relational Product

Asynchronous Synchronous

Exists yv. AT(xu,yv) & S(yv) + Exists yv. BT(xu,yv) & S(yv)

LARGE

Exists y.Atrans(x,y) & Exists v.Btrans(u,v) & S(yv)

slide-39
SLIDE 39

IAR visualSTATE (Beologic) CIT project VVS (w DTU)

Beologic’s Products: salesPLUS salesPLUS visualSTATE visualSTATE

1980-95: Independent division of B&0 1995- : Independent company B&O, 2M Invest, Danish Municipal Pension Ins. Fund Customers:

ABB B&O Daimler-Benz Ericson DIAX ESA/ESTEC FORD Grundfos LEGO PBS Siemens ……. (approx. 200)

Verification Problems:

  • 1.400 components
  • 10400 states

Our techniques has reduced verification time by several orders of magnitude (from 14 days to 6 sec)

  • Embedded Systems
  • Simple Model
  • Verification of Std. Checks
  • Explicit Representation

(STATEEXPLOSION)

  • Code Generation
slide-40
SLIDE 40

Control Programs

A Train Simulator, visualSTATE (VVS)

1421 machines 11102 transitions 2981 inputs 2667 outputs 3204 local states Declare state sp.: 10^476

BUGS ?

“Ideal” presentation: 1 bit/state will clearly NOT work!

slide-41
SLIDE 41

Experimental Breakthroughs

Patented

System Ma ch. Sta te Spa ce Dec lared Rea ch

Ch ecks Visua

l ST St-of-A rt

Co mB ac k

Sec MB Sec MB

VCR 7 10^ 5 1279 50 <1 <1 6 <1 7 JVC 8 10^ 4 352 22 <1 <1 6 <1 6 HI- FI 9 10^ 7 14163 84 120 1200 1.0 6 3.9 6 Motor 12 10^ 7 34560 123 32 <1 6 2,0 AVS 12 10^ 7 14384 16 173 3780 6.7 6 5.7 6 Video 13 10^ 8 12194 40 122

  • 1.1

6 1.5 6 Car 20 10^ 11 9.2 10^ 9 83

  • 3.8

9 1.8 6 N6 14 10^ 10 63995 52 443

  • -- 32.3

7 218 6 N5 25 10^ 12 5.0 10^ 10 269

  • -- 56.2

7 9.1 6 N4 23 10^ 13 3.7 10^ 8 132

  • 622

7 6.3 6 Tr ain1 373 10^ 13 6

  • 133

5

  • -- 25.

9 6 Tr ain2 142 1 10^ 47 6

  • 470

8

  • -- 739

11

Machine: 166 MHz Pentium PC with 32 MB RAM

  • --: Out of memory, or did not terminate after 3 hours.
slide-42
SLIDE 42

Experimental Breakthroughs

Patented

System Ma ch. Sta te Spa ce Dec lared Rea ch

Ch ecks Visua

l ST St-of-A rt

Co mB ac k

Sec MB Sec MB

VCR 7 10^ 5 1279 50 <1 <1 6 <1 7 JVC 8 10^ 4 352 22 <1 <1 6 <1 6 HI- FI 9 10^ 7 14163 84 120 1200 1.0 6 3.9 6 Motor 12 10^ 7 34560 123 32 <1 6 2,0 AVS 12 10^ 7 14384 16 173 3780 6.7 6 5.7 6 Video 13 10^ 8 12194 40 122

  • 1.1

6 1.5 6 Car 20 10^ 11 9.2 10^ 9 83

  • 3.8

9 1.8 6 N6 14 10^ 10 63995 52 443

  • -- 32.3

7 218 6 N5 25 10^ 12 5.0 10^ 10 269

  • -- 56.2

7 9.1 6 N4 23 10^ 13 3.7 10^ 8 132

  • 622

7 6.3 6 Tr ain1 373 10^ 13 6

  • 133

5

  • -- 25.

9 6 Tr ain2 142 1 10^ 47 6

  • 470

8

  • -- 739

11

Machine: 166 MHz Pentium PC with 32 MB RAM

  • --: Out of memory, or did not terminate after 3 hours.

Our technique has reduced verification time by several orders of magnitude (eg. From 14 days to 6 sec)