State Abstraction Techniques for the Verification of Reactive - PowerPoint PPT Presentation

Title Page State Abstraction Techniques for the Verification of Reactive Circuits Designing Correct Circuits, European Joint Conference on Theory and Practice of Software, Grenoble, France  april 6-7 2002 Yannis Bres, CMA-EMP / INRIA Gérard Berry, Esterel Technologies Amar Bouali, Esterel Technologies Ellen M. Sentovich, Cadence Berkeley Labs

Outline Outline Introduction Context of our work Finite State Machines (FSMs) Reachable State Space (RSS) computation principle and algorithm Computing Over-approximated Reachable State Space (ORSS) State variable inputization Variable abstraction using ternary-valued logic Refinement using the Esterel Selection Tree Experiment results Conclusions

Reachable State Space Uses Reachable State Space Uses Computing the Reachable State Space of a design is used for: Formal verification by observers Equivalence checking Automated test pattern generation State minimization State re-encoding …

Exact RSS computation is expensive Exact RSS computation is expensive Exponentially complex wrt. intermediate variables, in both memory and time: 1 variable per input 2 variables per state variable Several (orthogonal) techniques to reduce complexity: Application-specific partial RSS computation (transitive network sweeping) BDD pruning Decomposed FSM RSS computation Turning state variables into inputs … Our approach : abstracting variables through ternary-valued logic

Context of our work Context of our work Synchronous logical circuits (RTL level) derived from high-level hierarchical programs written in SyncCharts, ECL or Esterel Well-suited for control-dominated programs, both for hardware and software targets Implicit state set representation using BDDs (TiGeR package) Application to safety property verification (synchronous observers) Implemented as a command-line tool

FSMs FSMs A Finite State Machine (FSM) is described by the tuple , where is the number of inputs is the number of state variables (registers) is the number of outputs is the transition function is the output function describes the set of initial states describes the valid input space

RSS computation principle RSS computation principle Find the limit of the converging sequence: Where becomes: Eventually, the equality becomes:

Basic RSS computation algorithm Basic RSS computation algorithm

Complexity analysis Complexity analysis With BDDs: ¬ : constant ∨ , ∧ : polynomial ∃ , substitutions: exponential … with respect to the number of intermediate variables ⇒ Goal: reducing the number of intermediate variables ! Constraint: be “conservative”, i.e. compute an over-approximation of the RSS Thus, if property holds on the “cheap” ORSS, it holds on the exact RSS

State variable inputization State variable inputization Reduces the number of register variables 2 variables per register → 1 variable per inputized register Reduces the number of functions Increases the swept area Maintains correlation between instances of a variable i ∧ ¬ i = 0 i ∨ ¬ i = 1 Same number of a posteriori existential quantifications Over-approximated result because constraints between variables are relaxed “Snow-ball” effect

Ternary-valued logic Ternary-valued logic Usual Boolean logic with a third value: d or (i.e. ⊥ , X, …) Parallel extension of Boolean operators: ¬ ∨ ∧ 0 1 d 0 1 d 0 1 0 0 1 d 0 0 0 0 1 0 1 1 1 1 1 0 1 d d d d d 1 d d 0 d d Dual-rail encoding of constants: v v 0 v 1 0 1 0 1 0 1 d 0 0

Ternary-valued logic Ternary-valued logic Ternary Valued Functions (TVFs) are encoded using a pair of Boolean functions ( f 0 , f 1 ) f 0 f 1 f d Standard Boolean operators are extended to TVFs: ¬ ( f 0 , f 1 ) = ( f 1 , f 0 ) ( f 0 , f 1 ) ∨ ( g 0 , g 1 ) = ( f 0 ∧ g 0 , f 1 ∨ g 1 ) ( f 0 , f 1 ) ∧ ( g 0 , g 1 ) = ( f 0 ∨ g 0 , f 1 ∧ g 1 )

Application to RSS computation Application to RSS computation The Boolean transition function is enlarged as: f 0 ← → f 1 f ¬ f f d

Variable abstraction Variable abstraction Abstracted variables are replaced by the constant d Reduces the number of state variables 2 variables per register → 0 variable per abstracted register Reduces the number of input variables 1 variable per input → 0 variable per abstracted input Even fewer a posteriori existential quantifications Reduces the number of functions Increases the swept area Loses correlation between instances of a variable d ∧ ¬ d = d d ∨ ¬ d = d Even more over-approximated result “Snow-ball” effect Variables to be abstracted must be chosen with great care!

Refinement Using the Esterel Selection Tree Refinement Using the Esterel Selection Tree [ await I1 ; 1 do something ; # 2 await I2 ; do something ∨ || await I3 ; 3 do something # ] ; 4 await I4 ; do something Gives an overapproximation ceiling Allows to reinforce input care set for inputized registers

Experiment results #1 Experiment results #1 Industrial design: fuel management system of a jet aircraft from Dassault Aviation • ensures that the engines are properly fed • manages system components failures • manages the fuel load balancing between the two sides of the aircraft • manages in-flight refueling • …

Experiment results #1 Experiment results #1 property method result depth time memory exact 5 >10mn 79Mb 4 inputization correct 3 3.8s / 150 6Mb / 13 abstraction 4 1.5s / 400 6Mb / 13 exact 7 >2mn 21Mb 6 correct inputization 4 0.6s / 200 5Mb / 4 abstraction 4 0.3s / 400 5Mb / 4 Inputization gives excellent results on all properties Abstraction gives even better ones !

Experiment results #2 Experiment results #2 Undisclosed industrial design property method result depth time memory all exact correct 14 1h 11 475Mb exact 13 28mn 203Mb 1 inputization correct 9 20s / 85 9Mb / 22 abstraction 7 7s / 250 10Mb / 20 exact 13 30mn 238Mb inputization 10 1mn 30s / 20 21Mb / 11 2 + sel tree correct 4 4s / 460 7Mb / 34 abstraction 8 17mn / 2 378Mb * 1.5 + sel tree 4 47s / 40 51Mb / 5

Experiment results #2 Experiment results #2 property method result depth time memory exact 13 30mn 203Mb inputization 7s / 262 10 7Mb / 29 3_1 + sel tree correct 4s / 460 abstraction 39s / 47 34Mb / 6 8 + sel tree 23s / 80 23Mb / 9 exact 13 33mn 206Mb correct inputization 25s / 80 11Mb / 19 10 3_2 + sel tree 11s / 180 8Mb / 26 abstraction false 2 0.5s 7Mb + sel tree correct 8 25s / 80 16Mb / 13 Abstraction gives very good on most properties, but inputization often gives better ones !

Conclusions Conclusions A method to ease Reachable State Space computation, by computing an over- approximation of it, through variable abstraction, using a ternary-valued logic. Requires some abstraction hints from the designer, easy in a graphical IDE for hierarchical designs. Refinements and over-approximation ceiling from design structural informations Quite good results on a few experiments on industrial designs, although current implementation is rather crude ⇒ Abstraction figures vs. inputization ones can be improved