Who Watches the Watchers: Toward Provably-correct Decision Diagram - PowerPoint PPT Presentation

Who Watches the Watchers: Toward Provably-correct Decision Diagram Code Yousra Lembachar , Ryan Rusich, Iulian Neamtiu, Gianfranco Ciardo University of California, Riverside 1 / 18

Toward a Completely Verified Software Toolchain 2 / 18

Toward a Completely Verified Software Toolchain 2 / 18

Toward a Completely Verified Software Toolchain 2 / 18

Toward a Completely Verified Software Toolchain 2 / 18

Toward a Completely Verified Software Toolchain 2 / 18

Toward a Completely Verified Software Toolchain 2 / 18

Our Contribution ◮ Bddl ◮ A calculus for reasoning about decision diagram library and client code ◮ Provides a sound type system with operational semantics ◮ Enables compile-time detection of dynamic errors ◮ Enforces correct structural properties and semantics for decision diagrams ◮ Demonstrate the efficacy of our approach via real world bugs detected in three mature libraries: CUDD (NuSMV), MDDL (SMART), and JavaBDD 3 / 18

Runtime Error Example in CUDD DdNode* Cudd bddCompose( int main () { DdManager * dd, DdNode * f, Cudd mgr(0,2); DdNode * g, int v) { BDD x = mgr.bddVar(); DdNode *proj, *res; BDD y = mgr.bddVar(); /* Sanity check. */ BDD h = x * y; if (v < 0 || v >= dd->size) BDD j = x + y; return(NULL); BDD k = h.Compose(j,2); proj =dd->vars[v]; } do { ... } while (dd->reordered == 1); h = x.y j = x+y return(res); } y 0 1 0 1 BDD BDD::Compose(BDD g, int v) { ... return BDD(..., 0 1 0 1 x 0 1 0 1 Cudd bddCompose( mgr.node, g.node, v)); 1 0 1 0 } 4 / 18

Runtime Error Example in CUDD DdNode* Cudd bddCompose( int main () { DdManager * dd, DdNode * f, Cudd mgr(0,2); DdNode * g, int v) { BDD x = mgr.bddVar(); DdNode *proj, *res; BDD y = mgr.bddVar(); /* Sanity check. */ BDD h = x * y; if (v < 0 || v >= dd->size) BDD j = x + y; return(NULL); BDD k = h.Compose(j,2); proj =dd->vars[v]; } do { ... } while (dd->reordered == 1); h = x.y j = x+y return(res); } y 0 1 0 1 BDD BDD::Compose(BDD g, int v) { ... return BDD(..., 0 1 0 1 x 0 1 0 1 Cudd bddCompose( mgr.node, g.node, v)); 1 0 1 0 } 4 / 18

Runtime Error Example in CUDD DdNode* Cudd bddCompose( int main () { DdManager * dd, DdNode * f, Cudd mgr(0,2); DdNode * g, int v) { BDD x = mgr.bddVar(); DdNode *proj, *res; BDD y = mgr.bddVar(); /* Sanity check. */ BDD h = x * y; if (v < 0 || v >= dd->size) BDD j = x + y; return(NULL); BDD k = h.Compose(j,2); proj = dd->vars[v]; } do { ... } while (dd->reordered == 1); z h = x.y return(res); } j = x+y y BDD BDD::Compose(BDD g, int v) 0 1 0 1 { ... return BDD(..., 0 1 0 1 x 0 1 0 1 Cudd bddCompose( mgr.node, g.node, v)); } 1 0 1 0 4 / 18

Binary Decision Diagrams (BDDs) Binary tree BDD v 4 0 1 0 1 0 1 0 1 v 3 0 1 0 1 0 1 0 1 0 1 v 2 0 1 0 1 0 1 0 1 0 1 0 1 0 1 v 1 0 1 0 1 0 1 0 1 0 1 0 0 1 1 0 0 0 1 1 1 1 1 0 1 0 1 0 1 f ( v 1 , v 2 , v 3 , v 4 ) = ( v 4 ∨ v 2 ) ∧ ( v 3 → v 1 ) 5 / 18

BDD Encodings - Sets and n-ary relations Set Binary relation {(01,01) (00,11) (01,10) (01,11) {0011, 0101, 0110, 0111, 1001, (10,01) (11,00) (11,01) (10,11) 1010, 1011, 1101, 1110, 1111} (11,10) (11,11)} 0 1 v 4 0 1 v 2 v 2 ’ 0 1 0 1 v 3 0 1 0 1 v 1 0 1 0 1 v 2 0 1 0 1 1 0 1 0 1 0 1 0 0 1 1 0 0 1 1 0 0 1 1 v 1 v 1 ’ 0 1 0 1 6 / 18

BDD Encodings - Sets and n-ary relations Set Binary relation v 4 v 3 v 2 v 1 v 2 v 1 v 2 ’ v 1 ’ (0 1, 0 1) (0 0 1 1) 0 1 v 4 0 1 v 2 v 2 ’ 0 1 0 1 v 3 0 1 0 1 v 1 0 1 0 1 v 2 0 1 0 1 1 0 1 0 1 0 1 0 0 1 1 0 0 1 1 0 0 1 1 v 1 v 1 ’ 0 1 1 0 1 6 / 18

BDD Reduction Rules Reduction rules for canonicity and compactness... 0 1 v 4 0 1 0 1 v 3 v 2 + v 1 0 1 0 1 v 2 + v 1 v 2 + v 1 0 1 0 1 v 2 0 1 0 1 0 1 0 1 v 1 0 1 0 1 0 1 1 0 0 1 0 1 0 1 Fully-reduced (left) vs. quasi-reduced (right) BDDs 7 / 18

Bddl Calculus 8 / 18

Bddl Terms - The Bnode term and its attributes t ::= v | x | succ t | pred t v 1 Bnode(succ 0, id2, , ref , ref 1 0 ) | iszero t | λ : τ .t | t t v 1 succ(0) 0 1 | letrec x : τ = t in t | if then t else t t | ref t | !t | Bnode (t, i , t, t, t) 0 0 1 | t.level | t.index | t.var | t.tchild | t.fchild 9 / 18

Bddl Terms - The Bnode term and its attributes t ::= v | x | succ t | pred t v 1 Bnode(succ 0, id2, , ref , ref 1 0 ) | iszero t | λ : τ .t | t t v 1 succ(0) 0 1 | letrec x : τ = t in t | if then t else t t | ref t | !t | Bnode (t, i , t, t, t) 0 0 1 | t.level | t.index | t.var | t.tchild | t.fchild 9 / 18

Bddl Terms - The Bnode term and its attributes t ::= v | x | succ t | pred t v 1 Bnode(succ 0, id2, , ref , ref 1 0 ) | iszero t | λ : τ .t | t t v 1 succ(0) 0 1 | letrec x : τ = t in t | if then t else t t | ref t | !t | Bnode (t, i , t, t, t) 0 0 1 | t.level | t.index | t.var | t.tchild | t.fchild 9 / 18

Bddl Terms - The Bnode term and its attributes t ::= v | x | succ t | pred t v 1 Bnode(succ 0, id2, , ref , ref 1 0 ) | iszero t | λ : τ .t | t t v 1 succ(0) 0 1 | letrec x : τ = t in t | if then t else t t | ref t | !t | Bnode (t, i , t, t, t) 0 0 1 | t.level | t.index | t.var | t.tchild | t.fchild 9 / 18

Bddl Terms - The Bnode term and its attributes t ::= v | x | succ t | pred t v 1 Bnode(succ 0, id2, , ref , ref 1 0 ) | iszero t | λ : τ .t | t t v 1 succ(0) 0 1 | letrec x : τ = t in t | if then t else t t | ref t | !t | Bnode (t, i , t, t, t) 0 0 1 | t.level | t.index | t.var | t.tchild | t.fchild 9 / 18

Bddl Terms - The Bnode term and its attributes t ::= v | x | succ t | pred t v 1 Bnode(succ 0, id2, , ref , ref 1 0 ) | iszero t | λ : τ .t | t t v 1 succ(0) 0 1 | letrec x : τ = t in t | if then t else t t | ref t | !t | Bnode (t, i , t, t, t) 0 0 1 | t.level | t.index | t.var | t.tchild | t.fchild 9 / 18

Bddl Terms - λ -calculus based terms letrec v 1 = ... in letrec id 2 = ... in t ::= letrec build = v | x λ n . /* n = succ(0)*/ | succ t | pred t λ b . /* b = true*/ | iszero t if iszero n then | λ : τ .t (if b then 1 else 0 ) | t t else | letrec x : τ = t in t Bnode (succ(0), id 2 , v 1 , | if then t else t t build 0 true, build 0 false) | ref t | !t | Bnode (t, i , t, t, t) in build (succ(0) true) | t.level | t.index | t.var | t.tchild v 1 succ(0) 0 1 | t.fchild 0 0 1 10 / 18

Bddl Terms - λ -calculus based terms letrec v 1 = ... in letrec id 2 = ... in t ::= letrecbuild = v | x λ n. /* n = succ(0)*/ | succ t | pred t λ b. /* b = true*/ | iszero t if iszero n then | λ : τ .t (if b then 1 else 0 ) | t t else | letrec x : τ = t in t Bnode (succ(0), id 2 , v 1 , | if then t else t t build 0 true, build 0 false) | ref t | !t | Bnode (t, i , t, t, t) in build (succ(0) true) | t.level | t.index | t.var | t.tchild v 1 succ(0) 0 1 | t.fchild 0 0 1 10 / 18

Bddl Terms - λ -calculus based terms letrec v 1 = ... in letrec id 2 = ... in t ::= letrecbuild = v | x λ n. | succ t | pred t λ b. | iszero t if iszero n then | λ : τ .t (if b then 1 else 0 ) | t t else | letrec x : τ = t in t Bnode (succ(0), id 2 , v 1 , | if then t else t t build 0 true, build 0 false) | ref t | !t | Bnode (t, i , t, t, t) in build (succ(0) true) | t.level | t.index | t.var | t.tchild | t.fchild v 1 succ(0) 0 1 build(0 true) build(0 false) 0 1 10 / 18

Bddl Types letrec v 1 : string = ... in τ := letrec id 2 : Id = ... in bool | nat letrec build : | string | Id { ν : nat | ν = l } → bool → bdd [ l , r , c ] | l ≤ 1 | τ → τ λ n . | ref τ λ b . | bdd[l,r,c] if iszero n then | ν : τ | p ( π ) (if b then 1 else 0 ) else Bnode (succ(0), id 2 , v 1 , l := ⊥ , nv build 0 true, build 0 false) r := ⊥ , f, q c := ⊥ , s, e in build (succ(0) true) π := ν | l | r | c bdd[1,q,s] 0 1 0 1 11 / 18

Type checking and type inference for a 3-level BDD type?? Bnode( 3 , id 7 , x 2 ,ref t 4 ,ref t 5 ) Bnode( 2 , id 6 , x 1 ref t 2 ,ref t 3 ) Bnode( 2 , id 5 , x 1 ,ref t 2 ,ref t 1 ) Bnode( 1 , id 4 , x 3 ,ref 0 ,ref 0 ) Bnode( 1 , id 3 , x 3 ,ref 1 ,ref 0 ) Bnode( 1 , id 2 , x 3 ,ref 0 ,ref 1 ) 0 1 Γ ⊢ id : Id id �∈ dom (Γ) Γ ⊢ v var : string Γ ⊢ t 0 : { ν : nat | ν ≥ 1 ∧ ν = l } Γ ⊢ t 1 :ref bdd [ l ′ , r , c ] bdd [ l ′ , r , c ] < : B { ν : bdd [ p , r , c ] | l = p + 1 } bdd [ l ′′ , r , c ] < : B { ν : bdd [ p ′ , r , c ] | l = p ′ + 1 } Γ ⊢ t 2 :ref bdd [ l ′′ , r , c ] T-Bnode Γ , id : Id ⊢ Bnode(t 0 , id , v var ,t 1 ,t 2 ) : bdd [ l , r , c ] 12 / 18