efficient reachability analysis for verification of asynchronous systems
DESCRIPTION
Efficient Reachability Analysis for Verification of Asynchronous Systems. Nishant Sinha. Outline. Formal Verification: Motivation Reachability for Asynchronous Systems Partitioned Transition Relations Efficient Reachability Techniques MBFS and Saturation Saturation: Experimental Results - PowerPoint PPT PresentationTRANSCRIPT
Efficient Reachability Analysis for Verification of Asynchronous Systems
Nishant Sinha
2
Outline
Formal Verification: Motivation Reachability for Asynchronous Systems
• Partitioned Transition Relations
Efficient Reachability Techniques• MBFS and Saturation
Saturation: Experimental Results Conclusions
3
Formal Verification: Introduction
Use methods from formal logic• Show validity of properties on systems
• Formal requirements hold on a design• Software, circuits, protocol models
• Alternative to simulation, testing• Not all behaviors covered
Model checking • Verify concurrent systems• Introduced by Clarke et al. (1981)• An automated technique
4
Model Checking
Finite state-transition model M, Property Determine if M satisfies Properties like:
• req is always followed by ack• No error state is reachable from the initial state
Involves Reachability analysis• Generate reachable set of states• State space explosion
2K....
K
5
Asynchronous Systems
Concurrent Systems• Consist of several execution units
Synchronous• All units take an execution step together
Asynchronous• Units may execute independent of each other• Interleaved semantics of execution• E.g. Concurrent software, asynchronous circuits
Goal: Efficient model checking of asynchronous systems
SymbolicReduced
State-Space
6
Symbolic Model Checking
Use Ordered Binary Decision Diagrams (BDDs)• Canonical, compact, operate on state sets
Encode the system model M with BDDs• States encoded by boolean variables V• Transition relation also as BDD N(V,V’)
s1s0
t1
t2
t3
s0
s1
a01
(!a Æ a’) (a Æ !a’) (a Æ a’)
N(a,a’) =
a
a’
1
0
1
a’
1 1
0 1
1a
a’
1
0
1
1
a < a’
0
0
7
Partial-Order Reduction
s0s0’
s0s1’s1s0’
s1s1’
Choose a representative set of paths
Alternative model checking approach• Useful if order of execution of transitions is
irrelevant Sufficient to visit a subset of actual reachable state space Focus of this talk
• Full state space reachability using BDDs
a
a
b
b
s0 s1
s0’ s1’b
a
8
Reachability Analysis
One-step reachability:• Given a set of states S• Find which states S’ can be reached in one step
Iteratively apply one-step reachability • Until no new states are visited
Breadth-first exploration of graph
ea
d
g
bc
f
R0 R1 R2
ea
d
g
bc
fe
a
d
g
bc
f
= R3
9
The Bigger Picture
CombinationalCircuit
Delay
o1 o1 = 0o2 = 0
o1 = 1o2 = 0
o1 = 0o2 = 1o1 = 1
o2 = 1?
I1 CombinationalCircuit
Delay
o2
I2
10
Symbolic Reachability : Image Computation
Image of a set of states S• Transition relation N: one-step reachability• Basic operation, hence must be efficient
Symbolic image computation: S(V), N(V,V’) BDDs• Img(S,N) = [ 9v2 V (S(V) Æ N(V,V’) )]
Reachability (starting from initial S0):• Reach(S,N) = S [ Img(S,N)• FixpointFixpoint: : S. Reach(S,N)S. Reach(S,N)
Efficiency problem: Large N(V,V’)• Large intermediate BDD sizes in image computation
11
Illustration: Intermediate BDD Sizes
#B
dd
Nod
es
#S
tate
s
Dining Philosophers
model0
5000
10000
15000
20000
25000
30000
35000
40000
0 9 18
27
36
45
54
63
72
81
90
99
108
117
126
135
144
153
162
171
180
189
198
207
216
225
234
243
252
261
270
0
10
20
30
40
50
60
70
80
Millio
ns
BDD Nodes
States
Iterations
12
Partitioned Transition Relations
Introduced by Burch et al. (BCL91)
: Conjunction (Æ) or Disjunction ()• N(V,V’) = N1 N2 Nk
• Typically, each Ni much smaller than N
Asynchronous systems with interleaving semantics:• N(V,V’) = N1 N2 Nk
• Ni: only the ith unit executes
• Img(S, N) = Vi Img(S,Ni)[BCL91] J.R. Burch, E.M. Clarke, and D.E. Long. Symbolic model checking with partitioned transition relations. In A. Halaas and P.B. Denyer, editors, International Conference on Very Large Scale Integration, pages 49-58, Edinburgh, Scotland, 1991. North-Holland.
N1
N2
N3
13
BDD blowup
Must consider different intermediate combinations of reachable states of concurrent units• Even if they are independent• Adds to intermediate BDD sizes
Idea: Explore each unit separately to avoid such correlation [BCL91] • Modified Breadth-First Search (MBFS)
[BCL91] J.R. Burch, E.M. Clarke, and D.E. Long. Symbolic model checking with partitioned transition relations. In A. Halaas and P.B. Denyer, editors, International Conference on Very Large Scale Integration, pages 49-58, Edinburgh, Scotland, 1991. North-Holland.
14
Modified Breadth-First Search (MBFS)
Given a disjunctive partition: N1,...,Nk• Compute local fixpoints: S. Reach(S,Ni) • Stop when: 8 i. Reach(S,Ni) = S
Lower intermediate BDD sizes
Chaotic fixpoint iteration strategy • Family of functions: {Reach(S,Ni) j i · k} • Apply functions in arbitrary order till convergence • Must apply each function sufficiently often
Observation: MBFS strategy may not be able to avoid blowups in some cases
N1*
N2*
N3*
15
s = (v2, v1, ...)N1, N2
, N3, ...
Illustration: BDD Blowup in MBFS
s1
(11)s0
(00)
N2
s2
(01)s3
(10)
N1 N1
N1, N2
v2
v1
1
0
0
MBFS
N1, N2
N1
v2
1
0
MBFS
N2
N3 ...
v2
v1
1
0
1
1
N1 1
MBFS
N3 BDD explosion
(s0) (s0,s2) (s0,s1,s2) (s0,s1,s2,s3)
16
Saturation: New approach
Assume fixed variable ordering on BDDs: v1 < v2 ... < vk
Define
• High(Ni): “least” variable that Ni might change
• Low(Ni): “greatest” variable that Ni might change
Order transition relations by [High(Ni), Low(Ni)] :
• Nj Á Ni
• Nj changes only “lower” BDD variables than Ni
v2
v1
1
0
1
1
N2
N1
N1 Á N2
17
Saturation (Contd.)
Saturate (Ni)do Compute S. Reach(S,Ni) /* states reachable by only Ni */
8 Nj Á Ni. Saturate (Nj) /*explore all Nj Á Ni */
Until S does not change• Visits all possible reachable states using “lower”
transition relations than Ni
Overall Strategy: K partitions• For i= 1 to K. Saturate(Ni)
N3*
N2*
N1*
18
Saturation: Discussion
Advantages• Exploits independence of concurrent units• Lower intermediate BDD sizes than MBFS• Faster reachability computation in many cases
Drawbacks• May lead to spurious iterations• Relies heavily on good variable ordering
19
Experimental Results
Implemented Saturation approach in NuSMV model checker• Handles designs of industrial strength
Comparison with NuSMV with default options
#BDD nodes time #BDD nodes time
Dph(5) 13982 2.37 476 0.51Dph(100) OOR OOR 1208761 1550.8
Dme 869516 5329.15 16658 55.86Kanban(20) 1099118 12339.77 28244 7.71
Vanilla-NuSMV NuSMV+Saturation
OOR: out of resources
20
Experimental Results (contd.)
Implemented MBFS approach in NuSMV
Comparison with MBFS
#BDD nodes time #BDD nodes time
Dph(10) 9.03E+05 23660 6.33 18844 27.86
Kanban(20) 8.05E+11 77639 25.94 28187 7.56Kanban(40) 9.94E+14 639334 756.95 199341 94.97
FMS(20) 6.03E+12 64262 38.27 63432 25.67FMS(40) 2.64E+16 512273 406.86 512273 222.58
StatesNuSMV+MBFS NuSMV+Saturation
21
Experimental Results (contd.)
0
10
20
30
40
50
60
70
80
90
(Tho
usan
ds)
#BD
D N
od
es
MBFS
Saturation
Iterations
Kanban(20): Comparison of Intermediate BDD sizes
22
Conclusions
Efficient methods to compute reachable states of asynchronous systems• Based on disjunctive partitions• MBFS• Alternative approach: Saturation
Experimentally validated on several examples Future research
• Heuristics for obtaining good BDD variable ordering automatically
• Combining Saturation with Partial Order Reduction
23
Questions
?