binary decision diagrams and symbolic model checkingjv/homepage/dea/bryantonbdd.pdf · binary...
TRANSCRIPT
Binary Decision Diagramsand
Symbolic Model Checking
Binary Decision DiagramsBinary Decision Diagramsandand
Symbolic Model CheckingSymbolic Model Checking
Randy Bryant CMUEd Clarke CMUKen McMillan CadenceAllen Emerson U Texas
http://www.cs.cmu.edu/~bryant
– 2 –
Binary Decision DiagramsBinary Decision Diagrams
Restricted Form of Branching ProgramRestricted Form of Branching ProgramGraph representation of Boolean functionCanonical formSimple algorithms to construct & manipulate
Application NicheApplication NicheProblems expressed as Quantified Boolean FormulasA lot of interesting problems are in PSPACE
Symbolic Model CheckingSymbolic Model CheckingProve properties about large-scale, finite-state systemSuccessfully used to verify hardware systems
– 3 –
Boolean Function as LanguageBoolean Function as Language
Truth Table Language
View n-variable Boolean function as language ⊆ {0,1}n
Reduced DFA is canonical representation
00001111
00110011
01010101
00010101
x1 x2 x3 f
DFA
0 1
1 0,1
1
{ 011,101,111 }
– 4 –
From DFA to OBDDFrom DFA to OBDD
0 1
1 0,1
1
x1
x2 x2
x3
1
x1
x2
x3
1
x1
x2
x3
10
Canonical representation of Boolean functionCanonical representation of Boolean functionTwo functions equivalent if and only if graphs isomorphicDesirable property: simplest form is canonical.
– 5 –
Representing Circuit FunctionsRepresenting Circuit Functions
b3 b3
a3
Cout
b3
b2 b2
a2
b2 b2
a2
b3
a3
S3
b2
b1 b1
a1
b1 b1
a1
b2
a2
S2
b1
a0 a0
b1
a1
S1
b0
10
b0
a0
S0
FunctionsFunctionsAll outputs of 4-bit adderFunctions of data inputs
A
B
Cout
SADD
Shared RepresentationShared RepresentationGraph with multiple roots31 nodes for 4-bit adder571 nodes for 64-bit adderLinear growth
– 6 –
Effect of Variable OrderingEffect of Variable Ordering
Good Ordering
Linear Growth
0
b3
a3
b2
a2
1
b1
a1
)()()( 332211 bababa ∧∨∧∨∧
Bad Ordering
Exponential Growth
a3 a3
a2
b1 b1
a3
b2
b1
0
b3
b2
1
b1
a3
a2
a1
– 7 –
Sample Function ClassesSample Function ClassesFunction Class Best Worst Ordering SensitivityALU (Add/Sub) linear exponential HighSymmetric linear quadratic NoneMultiplication exponential exponential Low
General ExperienceGeneral ExperienceMany tasks have reasonable OBDD representationsAlgorithms remain practical for up to 500,000 node OBDDsHeuristic ordering methods generally satisfactory
– 8 –
Symbolic Manipulation with OBDDsSymbolic Manipulation with OBDDs
StrategyStrategyRepresent data as set of OBDDs
Identical variable orderingsExpress solution method as sequence of symbolic operations
Sequence of constructor & query operationsSimilar style to on-line algorithm
Implement each operation by OBDD manipulationDo all the work in the constructor operations
Key Algorithmic PropertiesKey Algorithmic PropertiesArguments are OBDDs with identical variable orderingsResult is OBDD with same orderingEach step polynomial complexity
– 9 –
If-Then-Else OperationIf-Then-Else Operation
Arguments Arguments II, , TT, , EEFunctions over variables XRepresented as OBDDs
ResultResultOBDD representing composite function(I ∧T) ∨ (¬I ∧ E)
MUX1
0
I → T, E
X
I
T
E
ConceptConceptBasic technique for building OBDD from logic network or formula.
– 10 –
0 1
d
c
a
B3 B4
B2
B5
B1
A4,B3 A5,B4
A3,B2
A6,B2
A2,B2
A3,B4A5,B2
A6,B5
A1,B1
Recursive CallsArgument I1
Argument T
b
0
d
1
c
a
A4 A5
A3
A2
A6
A1
If-Then-Else Execution ExampleIf-Then-Else Execution ExampleArgument E
OptimizationsOptimizationsDynamic programmingEarly termination rules
– 11 –
With Reduction
C2
C4
C5
C3
C6
C1 0
d
c
b
1
a
0 1
d
c
b
11
c
a
A4,B3 A5,B4
A3,B2
A6,B2
A2,B2
A3,B4A5,B2
A6,B5
A1,B1
If-Then-Else Result GenerationIf-Then-Else Result Generation
Recursive Calls Without Reduction
Recursive calling structure implicitly defines unreduced BDDApply reduction rules bottom-up as return from recursive calls
– 12 –
Restriction OperationRestriction OperationConceptConcept
Effect of setting function argument xi to constant k (0 or 1).Also called Cofactor operation (UCB)
Fx equivalent to F [x = 1]Fx equivalent to F [x = 0]
k F xi –1
xi +1
xn
x1
F [xi =k]
– 13 –
Restriction Execution ExampleRestriction Execution Example
Argument F
0
c
d
1
Reduced Result
0
a
c
d
1
Restriction F[b=1]
0
a
b
c
d
1
– 14 –
Derived Algebraic OperationsDerived Algebraic OperationsOther operations can be expressed in terms of If-Then-Else
And(F, G)
MUX1
0
F → G, 0
X
F
G
0
If-Then-Else(F, G, 0)
XF
G
MUX1
0
F → 1, G
X
F
G
1
If-Then-Else(F, 1, G)
XF
G
Or(F, G)
– 15 –
Generating OBDD from NetworkGenerating OBDD from NetworkTask: Represent output functions of gate network as OBDDs.
Network EvaluationA A ←← new_new_varvar ("a");("a");BB ←← new_new_varvar ("b");("b");C C ←← new_new_varvar ("c");("c");T1 T1 ←← And (A, 0, B);And (A, 0, B);T2 T2 ←← And (B, C);And (B, C);OutOut ←← Or (T1, T2);
A
B
C
T1
T2
Out
Or (T1, T2);
Resulting GraphsA B C
T1 T2
Out
0 1
a
0 1
c
0 1
b
0 1
b
a
0 1
c
b
c
b
0 1
b
a
– 16 –
Functional CompositionFunctional Composition
G F xi –1
xi +1
xn
x1
x1
xn F [xi =G]
x1
xn xi –1
xi +1
xn
x1
xi –1
xi +1
xn
x1
1 F
0 F
MUX1
0
G
Create new function by composing functions F and G.Useful for composing hierarchical modules.
– 17 –
Variable QuantificationVariable Quantification
1 F
0 F
xi –1
xi +1
xn
x1
xi –1
xi +1
xn
x1
xi –1
xi +1
xn
x1
F∃ ∃ xi F
Eliminate dependency on some argument through quantificationCombine with AND for universal quantification.
– 18 –
Finite State System AnalysisFinite State System Analysis
Systems Represented as Finite State MachinesSystems Represented as Finite State MachinesSequential circuitsCommunication protocolsSynchronization programs
Analysis TasksAnalysis TasksState reachabilityState machine comparisonTemporal logic model checking
Traditional Methods Impractical for Large MachinesTraditional Methods Impractical for Large MachinesPolynomial in number of statesNumber of states exponential in number of state variables.Example: single 32-bit register has 4,294,967,296 states!
– 19 –
Temporal Logic Model CheckingTemporal Logic Model Checking
Verify Reactive SystemsVerify Reactive SystemsConstruct state machine representation of reactive system
Nondeterminism expresses range of possible behaviors“Product” of component state machines
Express desired behavior as formula in temporal logicDetermine whether or not property holds
Traffic LightController
Design
Traffic LightController
DesignTrue
ModelChecker“It is never possible
to have a green light for both N-S and E-W.”
False+ Counterexample
– 20 –
Characteristic FunctionsCharacteristic Functions
A0 /1
A
B
UnionA
B
Intersection
ConceptConceptA ⊆ {0,1}n
Set of bit vectors of length nRepresent set A as Boolean function A of n variables
X ∈ A if and only if A(X ) = 1
Set Operations
– 21 –
Symbolic FSM RepresentationSymbolic FSM Representation
Symbolic RepresentationNondeterministic FSM
00
10
01
11 o2
o1
1
n2
0
n1
o2
o1,o2 encodedold state
n1, n2 encodednew state
Represent set of transitions as function δ(Old, New)Yields 1 if can have transition from state Old to state New
Represent as Boolean functionOver variables encoding states
– 22 –
Reachability AnalysisReachability AnalysisTaskTask
Compute set of states reachable from initial state Q0
Represent as Boolean function R(S)Never enumerate states explicitly
ComputeGiven
δold state
new stateRstate 0/10/1
InitialR0
=
Q0
– 23 –
Breadth-First Reachability AnalysisBreadth-First Reachability Analysis
00
10
01
11
R0
00
R1R0
00 01
R2R1R0
00 01 10
R3R2R1R0
00 01 10
Ri – set of states that can be reached in i transitionsReach fixed point when Rn = Rn+1
Guaranteed since finite state
– 24 –
Iterative ComputationIterative Computation
Ri
δ
Ri
∃
Ri +1
old
new
Ri +1 – set of states that can be reached i +1 transitionsEither in Ri
or single transition away from some element of Ri
– 25 –
Symbolic FSM Analysis ExampleSymbolic FSM Analysis ExampleK. McMillan, E. Clarke (CMU) J. Schwalbe (Encore Computer)
EncoreEncore GigamaxGigamax Cache SystemCache SystemDistributed memory multiprocessorCache system to improve access timeComplex hardware and synchronization protocol.
VerificationVerificationCreate “simplified” finite state model of system (109 states!)Verify properties about set of reachable states
Bug DetectedBug DetectedSequence of 13 bus events leading to deadlockWith random simulations, would require ≈2 years to generate failing case.In real system, would yield MTBF < 1 day.
– 26 –
System Modeling ExampleSystem Modeling Example
Gigamax MemorySystem
Simplifying Simplifying AbstractionsAbstractions
Single word cacheSingle bit/wordAbstract other clustersImprecise timing
InterfaceCluster #2
AbstractionCluster #3
Abstraction
Interface
Mem. CacheControl.
CacheControl.
Global Bus
Cluster #1 Bus
Proc. Proc.
Arbitrary reads & writes
– 27 –
Commercial Applications of Symbolic Model CheckingCommercial Applications of Symbolic Model CheckingSeveral Commercial ToolsSeveral Commercial Tools
Difficult training and customer support
Most Large Companies Have InMost Large Companies Have In--House VersionsHouse VersionsIBM, Lucent, Intel, Motorola, SGI, Fujitsu, Siemens, …Many based on McMillan’s SMV program
Requires SophisticationRequires SophisticationBeyond that of mainstream designers
– 28 –
Application ChallengeApplication Challenge
ChallengingSystems to Design
Model checkingCapacity
SystemSize
Degree of Concurrency
Cannot Apply Directly to Full Scale DesignCannot Apply Directly to Full Scale DesignVerify smaller subsystemsVerify abstracted versions of full system
Must understand system & tool to do effectively
– 29 –
Real World IssuesReal World Issues
Still Too VolatileStill Too VolatileFail by running out of spaceUseless once exceed physical memory capacity
Ongoing Research to Improve Memory PerformanceOngoing Research to Improve Memory PerformanceDynamic variable orderingExploiting modularity of system model
Partitioned transition relationsExploiting parallelism
Map onto multiple machinesDifficult program for parallel computation
» Dynamic, irregular data structures
– 30 –
Dynamic Variable ReorderingDynamic Variable Reordering
Richard Rudell, Synopsys
Periodically Attempt to Improve Ordering for All BDDsPeriodically Attempt to Improve Ordering for All BDDsPart of garbage collectionMove each variable through ordering to find its best location
Has Proved Very SuccessfulHas Proved Very SuccessfulTime consuming but effectiveEspecially for sequential circuit analysis
– 31 –
Dynamic Reordering By SiftingDynamic Reordering By Sifting
a3
b2 b2
a3
a2
a3
b1
b2
0
b3
b1
1
b2
a3
a2
a1
a3
b2
b3
b2
a3
a2
a3
b2
0
b1
b3
1
b2
a3
a2
a1
a2
a3
b1
b2
0
b3
b2
a3
1
b1
a2
a1
a3
b2
0
b3
b2
a3
a2
1
b1
a1
a3 a3
a2
b1 b1
a3
b2
b1
0
b3
b2
1
b1
a3
a2
a1
• • •a3
b2
0
b3
b2
a3
a2
1
a1
b1
BestChoices
Choose candidate variableTry all positions in variable ordering
Repeatedly swap with adjacent variableMove to best position found
– 32 –
Swapping Adjacent VariablesSwapping Adjacent Variables
Localized EffectLocalized EffectAdd / delete / alter only nodes labeled by swapping variablesDo not change any incoming pointers
b1 b1
b2b2 b2b2
e f g h
i jb1 b1
b2
b1
b2
b1
e f
g h i j
– 33 –
Tuning of BDD PackagesTuning of BDD Packages
Cooperative EffortCooperative EffortBwolen Yang, in cooperation with researchers from Colorado, Synopsys, CMU, and T.U. EindhovenMeasure & improve performance of BDDs for symbolic model checking
MethodologyMethodologyGenerated set of benchmark tracesRun 6 different packages on same machineCompare results and share findings
Cooperative competition
– 34 –
Effect of OptimizationsEffect of Optimizations
Compare preCompare pre-- vs. postvs. post--optimized results for 96 runsoptimized results for 96 runs6 different BDD packages16 benchmark traces eachLimit each run to maximum of 8 CPU hours and 900 MBMeasure speedup = Told / Tnew or:
New: Failed before but now succeedsFail: Fail both timesBad: Succeeded before, but now fails
– 35 –
Optimization Results SummaryOptimization Results Summary
Cumulative Speedup Histogram
22
33
61
75 76 76
136
16
0
10
20
30
40
50
60
70
80
>100 >5 >1 >0
speedups
# of
cas
es
>10 >2
>0.9
5
new
bad
faile
d
– 36 –
What’s Good about OBDDsWhat’s Good about OBDDsPowerful OperationsPowerful Operations
Creating, manipulating, testingEach step polynomial complexity
Graceful degradation
Generally Stay Small EnoughGenerally Stay Small EnoughEspecially for digital circuit applicationsGiven good choice of variable ordering
Weak CompetitionWeak CompetitionNo other method comes close in overall strengthEspecially with quantification operations
– 37 –
Thoughts on Algorithms ResearchThoughts on Algorithms Research
Need to be Willing to Attack Intractable ProblemsNeed to be Willing to Attack Intractable ProblemsMany real-world problems NP-hardNo approximations for verification
Who Works on These?Who Works on These?Mostly people in application domain
Most work on BDDs in computer-aided design conferencesNot by people with greatest talent in algorithms
No papers in STOC/FOCS/SODAProbably many ways they could improve things
Fundamental dilemmaCan only make weak formal statements about efficiencyUtility demonstrated empirically