Semantics & Verification Lecture 14 Gerd Behrmann Outline of - PowerPoint PPT Presentation

Semantics & Verification Lecture 14 Gerd Behrmann

Outline of remaining lectures ● Lecture 9: Modelling real time system ● Lecture 10: More on Uppaal + mini projects ● Lecture 11: Mini projects ● Lecture 12: Verification of timed automata ● Lecture 13: Binary Decision Diagrams ● Lecture 14: Using BDDs for the purpose of verification ● Lecture 15: Round-up of course

ROBDDs formally

Reduced Ordered Binary Decision Diagrams Iben Edges to 0 implicit

Ordering does matter! Variable ordering

Canonicity of ROBDDs

BUILD t t t t t t t Run time?

APPLY operation

APPLY example

Other operations

ROBDDs and Verification […,McMillan’90,…..,VVS]

ROBDD encoding of transition system Encoding of states using binary 00 01 variables (here x1 and x2 ). Encoding of transition relation using source and target variables 10 11 (here x1, x2, y1 , and y2 ) Trans(x1,x2,y1,y2):= !x1 & !x2 & !y1 & y2 + !x1 & !x2 & y1 & y2 + x1 & !x2 & !y1 & y2 + x1 & !x2 & y1 & y2 + x1 & x2 & y1 & !y2;

ROBDD representation (cont.) 00 01 10 11 Trans(x1,x2,y1,y2):= !x1 & !x2 & !y1 & y2 + !x1 & !x2 & y1 & y2 + x1 & !x2 & !y1 & y2 + x1 & !x2 & y1 & y2 + x1 & x2 & y1 & !y2;

ROBDD for parallel composition ATrans( x,y ) 00 01 Asynchronous composition Trans( x,y,u,v ) = ( ATrans( x,y ) & v = u ) 10 11 + ( BTrans( u,v ) & y = x ) Synchronous composition 01 00 Trans( x,y,u,v ) = ( ATrans( x,y ) & BTrans( u,v ) ) 10 11 Which ordering to choose? BTrans( u,v )

Ordering? 23 nodes 20 nodes 45 nodes x1,x2,y1,y2,u1,u2,v1,v2 x1,y1,x2,y2,u1,v1,u2,v2 x1,x2,u1,u2, y1,y2 ,v1,v2 Polynomial size BDDs guaranteed in size of argument BDDs [Enders,Filkorn, Taubner’91]

Making the transition relation total ATrans( x,y ) 00 01 10 11 01 00 10 11 BTrans( u,v )

Making the transition relation total ATrans( x,y ) 00 01 loops  x , y =¬∃ y. ATrans  x , y ∧ x = y ATrans'  x , y = loops  x , y  ATrans  x , y  10 11 01 00 10 11 BTrans( u,v )

Reachable States Relational Product: May be constructed without building Reach( x ) := Init( x ); intermediate (often large) REPEAT &-BDD. Old( x ) := Reach( x ); New( y ) := Exists x. (Reach( x ) & Trans( x , y )); Reach( x ) := Old( x ) + New( x ) UNTIL Old( x ) = Reach( x ) image computation frontier Reach 0 Reach 1 Reach 2 00 01 10 11 Reach 1

Backwards reachability Reach( x ) := Goal( x ); preimage computation REPEAT Old( x ) := Reach( x ); New( y ) := Exists y. (Goal( y ) & Trans( x , y )); Reach( x ) := Old( x ) + New( x ) UNTIL Old( x ) = Reach( x ) 00 01 10 11 Reach1 Goal Reach2

A MUTEX Algorithm Clarke & Emerson P1 :: while True do T1 : wait( turn=1 ) C1 : turn:=0 endwhile || P2 :: while True do T2 : wait( turn=0 ) C2 : turn:=1 endwhile Mutual Exclusion Program

Global Transition System I1 I2 I1 I2 t=0 t=1 I1 T2 T1 I2 T1 I2 t=1 I1 T2 t=0 t=1 t=0 T1 T2 I1 C2 C1 I2 T1 T2 t=0 t=0 t=1 t=1 T1 C2 C1 T2 t=0 t=1

A MUTEX Algorithm Clarke & Emerson vars x1 x2; vars y1 y2; vars u1 u2; vars v1 v2; vars t s; ATrans := (!x1 & !x2 & !y1 & y2 & (s=t)) + (!x1 & x2 & !y1 & y2 & !t & !s) + (!x1 & x2 & y1 & !y2 & t & s) 00 + (x1 & !x2 & !y1 & !y2 & !s); BTrans := (!u1 & !u2 & !v1 & v2 & (s=t)) 01 + (!u1 & u2 & !v1 & v2 & t & s) + (!u1 & u2 & v1 & !v2 & !t & !s) + (u1 & !u2 & !v1 & !v2 & s); 10 TT := (ATrans & (u1=v1) & (u2=v2)) + (BTrans & (x1=y1) & (x2=y2));

BDDs for Transition Relations TT ATrans

Reach( x ) := Init( x ); REPEAT Old( x ) := Reach( x ); Reachable States New( y ) := Exists x. (Reach( x ) & Trans( x , y )); Reach( x ) := Old( x ) + New( x ) UNTIL Old( x ) = Reach( x )

Reach( x ) := Init( x ); REPEAT Old( x ) := Reach( x ); Reachable States New( y ) := Exists x. (Reach( x ) & Trans( x , y )); Reach( x ) := Old( x ) + New( x ) UNTIL Old( x ) = Reach( x )

Reach( x ) := Init( x ); REPEAT Old( x ) := Reach( x ); Reachable States New( y ) := Exists x. (Reach( x ) & Trans( x , y )); Reach( x ) := Old( x ) + New( x ) UNTIL Old( x ) = Reach( x ) MUTEX ? Reach & x1 & !x2 & u1 & !u2 Reach

Bisimulation vars x (y) 00 01 Bis( x,u ):= 1; REPEAT Old( x,u ) := Bis( x,u ); 10 11 Bis( x,u ) := Forall y. Trans( x,y ) => (Exists v. Trans( u,v ) & Bis( y,v )) & Forall v. Trans( u,v ) => 00 01 (Exists y. Trans( x,y ) & Bis( y,v )); UNTIL Bis( x,u )=Old( x,u ) 11 10 vars u (v)

Bisimulation (cont.) Bis 0 Bis 1 Bis 2 00 01 10 11 3 equivalence classes = 6 pairs in final bisimulation

Model Checking vars x1 x2; vars y1 y2; 0 1 2 p,q Trans(x1,x2,y1,y2) := p p !x1 & !x2 & !y1 & y2 + !x1 & !x2 & y1 & y2 + ………… ; q P(x1,x2) := !x1 & !x2 3 + !x1 & x2 + x1 & !x2; Q(x1,x2) := ……… ;

Model Checking 0 1 2 p,q p p <>P Exists y1,y2. Trans(x1,x2,y1,y2) & q P(y1,y2); 3

Model Checking 0 1 2 p,q p p <>P Exists y1,y2. Trans(x1,x2,y1,y2) & q P(y1,y2); 3

Model Checking 0 1 2 p,q p p []P Forall y1,y2. Trans(x1,x2,y1,y2) => q P(y1,y2); 3

Model Checking 0 1 2 p,q p p []P Forall y1,y2. Trans(x1,x2,y1,y2) => q P(y1,y2); 3

Model Checking ALWAYS P 0 1 2 p p,q p max fixpoint A (x1,x2) = P(x1,x2) & q Forall y1,y2. 3 Trans(x1,x2,y1,y2) => A (y1,y2);

Model Checking ALWAYS P 0 1 2 p,q p p max fixpoint A (x1,x2) = P(X1,x2) & q Forall y1,y2. 3 Trans(x1,x2,y1,y2) => A (y1,y2);

Model Checking P UNTIL Q 0 1 2 p,q p p min fixpoint U (x1,x2) = Q(X1,x2) + q { P(x1,x2) & 3 Forall y1,y2. Trans(x1,x2,y1,y2) => U (y1,y2) };

Model Checking P UNTIL Q 0 0 1 1 2 2 p,q p,q p p p p min fixpoint U (x1,x2) = Q(X1,x2) + q q { P(x1,x2) & 3 3 Forall y1,y2. Trans(x1,x2,y1,y2) => U (y1,y2) };

Partitioned Transition Relation LARGE Relational Product Exists yv. (T( xu,yv ) & S( yv )) Asynchronous Synchronous T( xy,uv ) = T( xy,uv ) = ( ATrans( x,y ) & v = u ) ATrans( x,y ) + ( BTrans( u,v ) & y = x ) & BTrans( u,v ) Exists yv. AT( xu,yv ) & S( yv ) Exists y. Atrans( x,y ) + & Exists v.Btrans( u,v ) & S( yv) Exists yv. BT( xu,yv ) & S( yv )

IAR visualSTATE (Beologic) CIT project VVS (w DTU) Beologic’s Products: salesPLUS salesPLUS visualSTATE visualSTATE 1980-95: Independent division of B&0 1995- : Independent company • Embedded Systems B&O, 2M Invest, • Simple Model Danish Municipal Pension Ins. Fund • Verification of Std. Checks • Explicit Representation Customers: ( STATEEXPLOSION ) • Code Generation ABB Verification Problems: B&O Daimler-Benz • 1.400 components Ericson DIAX • 10 400 states ESA/ESTEC FORD Grundfos LEGO Our techniques has reduced verification PBS time by several orders of magnitude Siemens ……. (approx. 200) (from 14 days to 6 sec)

Control Programs A Train Simulator, visualSTATE (VVS) 1421 machines 11102 transitions BUGS ? 2981 inputs 2667 outputs 3204 local states Declare state sp.: 10^476 “Ideal” presentation: 1 bit/state will clearly NOT work!

Experimental Breakthroughs Patented ecks Visua System Ma ch. Sta te Spa ce Ch l St-of-A rt Co mB ac k Dec lared Rea ch ST Sec MB Sec MB 10^ 5 1279 VCR 7 50 <1 <1 6 <1 7 JVC 8 10^ 4 352 22 <1 <1 6 <1 6 HI- FI 9 10^ 7 14163 84 120 1200 1.0 6 3.9 6 Motor 12 10^ 7 34560 123 32 <1 6 2,0 AVS 12 10^ 7 14384 16 173 3780 6.7 6 5.7 6 Video 13 10^ 8 12194 40 122 --- 1.1 6 1.5 6 Car 20 10^ 11 9.2 10^ 9 83 --- 3.8 9 1.8 6 N6 14 10^ 10 63995 52 443 --- 32.3 7 218 6 N5 25 10^ 12 5.0 10^ 10 269 --- 56.2 7 9.1 6 N4 23 10^ 13 3.7 10^ 8 132 --- 622 7 6.3 6 Tr ain1 373 10^ 13 6 --- 133 5 --- --- --- 25. 9 6 Tr ain2 142 1 10^ 47 6 --- 470 8 --- --- --- 739 11 Machine: 166 MHz Pentium PC with 32 MB RAM ---: Out of memory, or did not terminate after 3 hours.