Symbolic Model Checking Binary Decision Diagrams 2 Combinatorial - PDF document

1 Randal Bryant ’86 Ken McMillan ’90 Symbolic Model Checking Binary Decision Diagrams

2 Combinatorial Circuits

3 Eight Queen Combinatorial Problems Sudoku

Control Programs A Train Simulator, visualSTATE (VVS) 1421 machines 11102 transitions BUGS ? 2981 inputs 2667 outputs 3204 local states Declare state sp.: 10^ 476 “ I d e a l ” w p i l r l e c s l e e a n r t l a y t i o N n O : T 1 w b o i t r / s k t ! a t e 4

Reduced Ordered Binary Decision Diagrams [Bryant’86] • Compact represetation of boolean functions allowing effective manipulation (satifiability, validity,….) or • Compact representation of sets over finite universe allowing effective manipulations. 5

6 A short review Binary Decision Diagrams [Randal Bryant’86]

7 If-Then-Else Normal Form

8 Shannon Expansion

Binary Decision Trees Variable is set to 0 Variable is set to 1 Each path determines a partial (set of) truth assignments. Result of the boolean expression under the given assigment found in value of terminal. 9

10 Orderedness & Redundant TESTS

11 x Orderedness & Reducedness x x z x<y x<z x y

12 ROBDDs formally

Edges to 0 13 implicit Reduced Ordered Binary Decision Iben Diagrams

14 Ordering DOES matter

15 Canonicity of ROBDDs

Complexity ?? 16 Build

17 APPLY operation

18 APPLY example

19 with dynamic programming APPLY operation

20 Other operations

21 Constraint Solving using BDDs

22 4 x 4 Sudoku 288 solutions ! 4 3 2 1

Encoding 1 2 3 4 1 1 2 Boolean variables x i,j,k for all 2 i, j, k ∈ {1,2,3,4}. 3 3 4 4 Idea : x i,j,k = 1 ; if the number k is in position (i,j) in the solution x 2,2,2 =1 0 ; otherwise x 4,4,4 =1 x 2,2,1 =0 23

1 2 3 4 1 1 Constraints 2 2 3 3 4 4 Precisely one value in each position i, j: x 1,j,1 + x i,j,2 + x i,j,3 + x i,j,4 = 1 for each i, j Each value k appears in each row i exactly ones: x i,1,k + x i,2,k + x i,3,k + x i,4,k = 1 for each i, k Each value k appears in each colomn j exactly ones: x 1,j,k + x 2,j,k + x 3,j,k + x 4,j,k = 1 for each j, k Each value k appears in each 2x2 box exactly ones: x 1,1,k + x 1,2,k + x 2,1,k + x 2,2,k = 1 (e.g.) 24

25 Solving Sudoku 4 4 3 3 2 2 1 1 1 2 3 4 4 3 2 1 1 2 3 4

26 ROBDDs and Verification […,McMillan’90,…..,VVS’97]

ROBDD encoding of transition system Encoding of states using binary variables (here x1 and x2 ). 00 01 Encoding of transition relation using source and target variables 10 11 (here x1, x2, y1 , and y2 ) Trans(x1,x2,y1,y2):= !x1 & !x2 & !y1 & y2 + !x1 & !x2 & y1 & y2 + x1 & !x2 & !y1 & y2 + x1 & !x2 & y1 & y2 + x1 & x2 & y1 & !y2; 27

ROBDD representation (cont.) 00 01 10 11 Trans(x1,x2,y1,y2):= !x1 & !x2 & !y1 & y2 + !x1 & !x2 & y1 & y2 + x1 & !x2 & !y1 & y2 + x1 & !x2 & y1 & y2 + x1 & x2 & y1 & !y2; 28

ROBDD for parallel composition ATrans( x,y ) Asynchronous composition 00 01 Trans( x,y,u,v ) = ( ATrans( x,y ) & v = u ) 10 11 + ( BTrans( u,v ) & y = x ) Synchronous composition 00 01 Trans( x,y,u,v ) = ( ATrans( x,y ) & BTrans( u,v ) ) 10 11 Which ordering to choose? BTrans( u,v ) 29

Ordering? 23 nodes 20 nodes 45 nodes x1,x2,y1,y2,u1,u2,v1,v2 x1,y1,x2,y2,u1,v1,u2,v2 x1,x2,u1,u2, y1,y2 ,v1,v2 Polynomial size BDDs guaranteed in size of argument BDDs [Enders,Filkorn, Taubner’91] 30

Reachable States Relational Product: May be constructed Reach( x ) := Init( x ); without building REPEAT intermediate (often large) Old( x ) := Reach( x ); &-BDD. New( y ) := Exists x. (Reach( x ) & Trans( x , y )); Reach( x ) := Old( x ) + New( x ) UNTIL Old( x ) = Reach( x ) Reach 0 Reach 1 Reach 2 00 01 10 11 Reach 1 31

A MUTEX Algorithm Clarke & Emerson P1 :: while True do P1 :: while True do T1 : wait( turn=1 ) T1 : wait( turn=1 ) C1 : turn:=0 C1 : turn:=0 endwhile endwhile || || P2 :: while True do P2 :: while True do T2 : wait( turn=0 ) T2 : wait( turn=0 ) C2 : turn:=1 C2 : turn:=1 endwhile endwhile Mutual Exclusion Program 32

33 I 1 T2 t= 1 I 1 I 2 t= 1 T1 T2 t= 1 Global Transition System T1 I 2 t= 1 C1 T2 t= 1 C1 I 2 t= 1 I 1 C2 t= 0 T1 C2 t= 0 I 1 T2 t= 0 T1 T2 I 1 I 2 t= 0 t= 0 T1 I 2 t= 0

A MUTEX Algorithm Clarke & Emerson vars x1 x2; vars y1 y2; vars u1 u2; vars v1 v2; vars t s; ATrans := (!x1 & !x2 & !y1 & y2 & (s=t)) + (!x1 & x2 & !y1 & y2 & !t & !s) 00 + (!x1 & x2 & y1 & !y2 & t & s) + (x1 & !x2 & !y1 & !y2 & !s); 01 BTrans := (!u1 & !u2 & !v1 & v2 & (s=t)) + (!u1 & u2 & !v1 & v2 & t & s) + (!u1 & u2 & v1 & !v2 & !t & !s) + (u1 & !u2 & !v1 & !v2 & s); 10 TT := (ATrans & (u1=v1) & (u2=v2)) + (BTrans & (x1=y1) & (x2=y2)); 34

35 BDDs for Transition Relations TT ATrans

Reach( x ) := Init( x ); REPEAT Old( x ) := Reach( x ); Reachable States New( y ) := Exists x. (Reach( x ) & Trans( x , y )); Reach( x ) := Old( x ) + New( x ) UNTIL Old( x ) = Reach( x ) 36

Reach( x ) := Init( x ); REPEAT Old( x ) := Reach( x ); Reachable States New( y ) := Exists x. (Reach( x ) & Trans( x , y )); Reach( x ) := Old( x ) + New( x ) UNTIL Old( x ) = Reach( x ) 37

Reach( x ) := Init( x ); REPEAT Old( x ) := Reach( x ); Reachable States New( y ) := Exists x. (Reach( x ) & Trans( x , y )); Reach( x ) := Old( x ) + New( x ) UNTIL Old( x ) = Reach( x ) MUTEX ? Reach & x1 & !x2 & u1 & !u2 Reach 38

Bisimulation vars x (y) 00 01 Bis( x,u ):= 1; REPEAT Old( x,u ) := Bis( x,u ); 10 11 Bis( x,u ) := Forall y. Trans( x,y ) => (Exists v. Trans( u,v ) & Bis( y,v )) & Forall v. Trans( u,v ) => 00 01 (Exists y. Trans( x,y ) & Bis( y,v )); UNTIL Bis( x,u )=Old( x,u ) 10 11 vars u (v) 39

40 Bis 2 Bisimulation (cont.) Bis 1 = 6 pairs in final bisimulation Bis 0 3 equivalence classes 11 01 00 10

Model Checking vars x1 x2; vars y1 y2; 0 1 2 p p,q p Trans(x1,x2,y1,y2) := !x1 & !x2 & !y1 & y2 + !x1 & !x2 & y1 & y2 + ………… ; q 3 P(x1,x2) := !x1 & !x2 + !x1 & x2 + x1 & !x2; Q(x1,x2) := ……… ; 41

42 Trans(x1,x2,y1,y2) & Exists y1,y2. P(y1,y2); Model Checking EX P p 2 p,q 1 q 3 p 0

43 Trans(x1,x2,y1,y2) & Exists y1,y2. P(y1,y2); Model Checking EX P p 2 p,q 1 q 3 p 0

44 Trans(x1,x2,y1,y2) => Forall y1,y2. P(y1,y2); Model Checking AX P p 2 p,q 1 q 3 p 0

45 Trans(x1,x2,y1,y2) => Forall y1,y2. P(y1,y2); Model Checking AX P p 2 p,q 1 q 3 p 0

Trans(x1,x2,y1,y2) => 46 max fixpoint Forall y1,y2. A (y1,y2); P(x1,x2) & A (x1,x2) = Model Checking AG P p 2 p,q 1 q 3 p 0

Trans(x1,x2,y1,y2) => 47 max fixpoint Forall y1,y2. A (y1,y2); P(X1,x2) & A (x1,x2) = Model Checking AG P p 2 p,q 1 q 3 p 0

Model Checking A( P UNTIL Q ) 0 1 2 p p,q p min fixpoint U (x1,x2) = Q(x1,x2) + q { P(x1,x2) & 3 Forall y1,y2. Trans(x1,x2,y1,y2) => U (y1,y2) }; 48

Model Checking A( P UNTIL Q ) 0 1 2 p p,q p min fixpoint U (x1,x2) = Q(X1,x2) + q { P(x1,x2) & 3 Forall y1,y2. Trans(x1,x2,y1,y2) => U (y1,y2) }; 49

Partitioned Transition Relation LARGE Relational Product Exists yv. (T( xu,yv ) & S( yv )) Asynchronous Synchronous T( xu,yv ) = T( xu,yv ) = ( ATrans( x,y ) & v = u ) ATrans( x,y ) + ( BTrans( u,v ) & y = x ) & BTrans( u,v ) Exists y. ATrans( x,y ) & S( yu ) Exists yv. Atrans( x,y ) + Exists v. BTrans( u,v ) & S( xv ) & Btrans( u,v ) & S( yv) Exists y. Atrans( x,y ) & (Exists v. Btrans( u,v ) & S( yv ) ) 50

visualSTATE CIT project VVS (w DTU) salesPLUS visualSTATE Beologic’s Products: salesPLUS visualSTATE 1980-95: Independent division of B&0 • Embedded Systems 1995- : Independent company • Simple Model B&O, 2M Invest, • Verification of Std. Checks Danish Municipal Pension Ins. Fund • Explicit Representation 1998: BAAN ( STATEEXPLOSION ) 2000: IAR Systems A/S • Code Generation Verification Problems: Customers: • 1.400 components ABB • 10 400 states B&O Daimler-Benz Our techniques has reduced Ericson DIAX ESA/ESTEC verification by an order of magnitude FORD (from 14 days to 6 sec) Grundfos LEGO PBS 51 Siemens ……. (approx. 200)

52 Embedded World Nürnberg, 2005 visualSTATE

Control Programs A Train Simulator, visualSTATE (VVS) 1421 machines 11102 transitions BUGS ? 2981 inputs 2667 outputs 3204 local states Declare state sp.: 10^ 476 “ I d e a l ” w p i l r l e c s l e e a n r t l a y t i o N n O : T 1 w b o i t r / s k t ! a t e 53