Binary Decision Diagrams and Symbolic Model Checking Binary Decision Diagrams Binary Decision Diagrams and and Symbolic Model Checking Symbolic Model Checking Randy Bryant CMU Ed Clarke CMU Ken McMillan Cadence Allen Emerson U Texas http://www.cs.cmu.edu/~bryant
37
Embed
Binary Decision Diagrams and Symbolic Model Checkingjv/HomePage/dea/bryantonBDD.pdf · Binary Decision Diagrams and Symbolic Model Checking Binary Decision Diagrams and Symbolic Model
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Randy Bryant CMUEd Clarke CMUKen McMillan CadenceAllen Emerson U Texas
http://www.cs.cmu.edu/~bryant
– 2 –
Binary Decision DiagramsBinary Decision Diagrams
Restricted Form of Branching ProgramRestricted Form of Branching ProgramGraph representation of Boolean functionCanonical formSimple algorithms to construct & manipulate
Application NicheApplication NicheProblems expressed as Quantified Boolean FormulasA lot of interesting problems are in PSPACE
Symbolic Model CheckingSymbolic Model CheckingProve properties about large-scale, finite-state systemSuccessfully used to verify hardware systems
– 3 –
Boolean Function as LanguageBoolean Function as Language
Truth Table Language
View n-variable Boolean function as language ⊆ {0,1}n
Reduced DFA is canonical representation
00001111
00110011
01010101
00010101
x1 x2 x3 f
DFA
0 1
1 0,1
1
{ 011,101,111 }
– 4 –
From DFA to OBDDFrom DFA to OBDD
0 1
1 0,1
1
x1
x2 x2
x3
1
x1
x2
x3
1
x1
x2
x3
10
Canonical representation of Boolean functionCanonical representation of Boolean functionTwo functions equivalent if and only if graphs isomorphicDesirable property: simplest form is canonical.
FunctionsFunctionsAll outputs of 4-bit adderFunctions of data inputs
A
B
Cout
SADD
Shared RepresentationShared RepresentationGraph with multiple roots31 nodes for 4-bit adder571 nodes for 64-bit adderLinear growth
– 6 –
Effect of Variable OrderingEffect of Variable Ordering
Good Ordering
Linear Growth
0
b3
a3
b2
a2
1
b1
a1
)()()( 332211 bababa ∧∨∧∨∧
Bad Ordering
Exponential Growth
a3 a3
a2
b1 b1
a3
b2
b1
0
b3
b2
1
b1
a3
a2
a1
– 7 –
Sample Function ClassesSample Function ClassesFunction Class Best Worst Ordering SensitivityALU (Add/Sub) linear exponential HighSymmetric linear quadratic NoneMultiplication exponential exponential Low
General ExperienceGeneral ExperienceMany tasks have reasonable OBDD representationsAlgorithms remain practical for up to 500,000 node OBDDsHeuristic ordering methods generally satisfactory
– 8 –
Symbolic Manipulation with OBDDsSymbolic Manipulation with OBDDs
StrategyStrategyRepresent data as set of OBDDs
Identical variable orderingsExpress solution method as sequence of symbolic operations
Sequence of constructor & query operationsSimilar style to on-line algorithm
Implement each operation by OBDD manipulationDo all the work in the constructor operations
Key Algorithmic PropertiesKey Algorithmic PropertiesArguments are OBDDs with identical variable orderingsResult is OBDD with same orderingEach step polynomial complexity
– 9 –
If-Then-Else OperationIf-Then-Else Operation
Arguments Arguments II, , TT, , EEFunctions over variables XRepresented as OBDDs
Effect of setting function argument xi to constant k (0 or 1).Also called Cofactor operation (UCB)
Fx equivalent to F [x = 1]Fx equivalent to F [x = 0]
k F xi –1
xi +1
xn
x1
F [xi =k]
– 13 –
Restriction Execution ExampleRestriction Execution Example
Argument F
0
c
d
1
Reduced Result
0
a
c
d
1
Restriction F[b=1]
0
a
b
c
d
1
– 14 –
Derived Algebraic OperationsDerived Algebraic OperationsOther operations can be expressed in terms of If-Then-Else
And(F, G)
MUX1
0
F → G, 0
X
F
G
0
If-Then-Else(F, G, 0)
XF
G
MUX1
0
F → 1, G
X
F
G
1
If-Then-Else(F, 1, G)
XF
G
Or(F, G)
– 15 –
Generating OBDD from NetworkGenerating OBDD from NetworkTask: Represent output functions of gate network as OBDDs.
Network EvaluationA A ←← new_new_varvar ("a");("a");BB ←← new_new_varvar ("b");("b");C C ←← new_new_varvar ("c");("c");T1 T1 ←← And (A, 0, B);And (A, 0, B);T2 T2 ←← And (B, C);And (B, C);OutOut ←← Or (T1, T2);
A
B
C
T1
T2
Out
Or (T1, T2);
Resulting GraphsA B C
T1 T2
Out
0 1
a
0 1
c
0 1
b
0 1
b
a
0 1
c
b
c
b
0 1
b
a
– 16 –
Functional CompositionFunctional Composition
G F xi –1
xi +1
xn
x1
x1
xn F [xi =G]
x1
xn xi –1
xi +1
xn
x1
xi –1
xi +1
xn
x1
1 F
0 F
MUX1
0
G
Create new function by composing functions F and G.Useful for composing hierarchical modules.
– 17 –
Variable QuantificationVariable Quantification
1 F
0 F
xi –1
xi +1
xn
x1
xi –1
xi +1
xn
x1
xi –1
xi +1
xn
x1
F∃ ∃ xi F
Eliminate dependency on some argument through quantificationCombine with AND for universal quantification.
– 18 –
Finite State System AnalysisFinite State System Analysis
Systems Represented as Finite State MachinesSystems Represented as Finite State MachinesSequential circuitsCommunication protocolsSynchronization programs
Analysis TasksAnalysis TasksState reachabilityState machine comparisonTemporal logic model checking
Traditional Methods Impractical for Large MachinesTraditional Methods Impractical for Large MachinesPolynomial in number of statesNumber of states exponential in number of state variables.Example: single 32-bit register has 4,294,967,296 states!
– 19 –
Temporal Logic Model CheckingTemporal Logic Model Checking
Verify Reactive SystemsVerify Reactive SystemsConstruct state machine representation of reactive system
Nondeterminism expresses range of possible behaviors“Product” of component state machines
Express desired behavior as formula in temporal logicDetermine whether or not property holds
Traffic LightController
Design
Traffic LightController
DesignTrue
ModelChecker“It is never possible
to have a green light for both N-S and E-W.”
False+ Counterexample
– 20 –
Characteristic FunctionsCharacteristic Functions
A0 /1
A
B
UnionA
B
Intersection
ConceptConceptA ⊆ {0,1}n
Set of bit vectors of length nRepresent set A as Boolean function A of n variables
Ri – set of states that can be reached in i transitionsReach fixed point when Rn = Rn+1
Guaranteed since finite state
– 24 –
Iterative ComputationIterative Computation
Ri
δ
Ri
∃
Ri +1
old
new
Ri +1 – set of states that can be reached i +1 transitionsEither in Ri
or single transition away from some element of Ri
– 25 –
Symbolic FSM Analysis ExampleSymbolic FSM Analysis ExampleK. McMillan, E. Clarke (CMU) J. Schwalbe (Encore Computer)
EncoreEncore GigamaxGigamax Cache SystemCache SystemDistributed memory multiprocessorCache system to improve access timeComplex hardware and synchronization protocol.
VerificationVerificationCreate “simplified” finite state model of system (109 states!)Verify properties about set of reachable states
Bug DetectedBug DetectedSequence of 13 bus events leading to deadlockWith random simulations, would require ≈2 years to generate failing case.In real system, would yield MTBF < 1 day.
– 26 –
System Modeling ExampleSystem Modeling Example
Gigamax MemorySystem
Simplifying Simplifying AbstractionsAbstractions
Single word cacheSingle bit/wordAbstract other clustersImprecise timing
InterfaceCluster #2
AbstractionCluster #3
Abstraction
Interface
Mem. CacheControl.
CacheControl.
Global Bus
Cluster #1 Bus
Proc. Proc.
Arbitrary reads & writes
– 27 –
Commercial Applications of Symbolic Model CheckingCommercial Applications of Symbolic Model CheckingSeveral Commercial ToolsSeveral Commercial Tools
Difficult training and customer support
Most Large Companies Have InMost Large Companies Have In--House VersionsHouse VersionsIBM, Lucent, Intel, Motorola, SGI, Fujitsu, Siemens, …Many based on McMillan’s SMV program
Requires SophisticationRequires SophisticationBeyond that of mainstream designers
– 28 –
Application ChallengeApplication Challenge
ChallengingSystems to Design
Model checkingCapacity
SystemSize
Degree of Concurrency
Cannot Apply Directly to Full Scale DesignCannot Apply Directly to Full Scale DesignVerify smaller subsystemsVerify abstracted versions of full system
Must understand system & tool to do effectively
– 29 –
Real World IssuesReal World Issues
Still Too VolatileStill Too VolatileFail by running out of spaceUseless once exceed physical memory capacity
Ongoing Research to Improve Memory PerformanceOngoing Research to Improve Memory PerformanceDynamic variable orderingExploiting modularity of system model
Periodically Attempt to Improve Ordering for All BDDsPeriodically Attempt to Improve Ordering for All BDDsPart of garbage collectionMove each variable through ordering to find its best location
Has Proved Very SuccessfulHas Proved Very SuccessfulTime consuming but effectiveEspecially for sequential circuit analysis
– 31 –
Dynamic Reordering By SiftingDynamic Reordering By Sifting
a3
b2 b2
a3
a2
a3
b1
b2
0
b3
b1
1
b2
a3
a2
a1
a3
b2
b3
b2
a3
a2
a3
b2
0
b1
b3
1
b2
a3
a2
a1
a2
a3
b1
b2
0
b3
b2
a3
1
b1
a2
a1
a3
b2
0
b3
b2
a3
a2
1
b1
a1
a3 a3
a2
b1 b1
a3
b2
b1
0
b3
b2
1
b1
a3
a2
a1
• • •a3
b2
0
b3
b2
a3
a2
1
a1
b1
BestChoices
Choose candidate variableTry all positions in variable ordering
Repeatedly swap with adjacent variableMove to best position found
Localized EffectLocalized EffectAdd / delete / alter only nodes labeled by swapping variablesDo not change any incoming pointers
b1 b1
b2b2 b2b2
e f g h
i jb1 b1
b2
b1
b2
b1
e f
g h i j
– 33 –
Tuning of BDD PackagesTuning of BDD Packages
Cooperative EffortCooperative EffortBwolen Yang, in cooperation with researchers from Colorado, Synopsys, CMU, and T.U. EindhovenMeasure & improve performance of BDDs for symbolic model checking
MethodologyMethodologyGenerated set of benchmark tracesRun 6 different packages on same machineCompare results and share findings
Cooperative competition
– 34 –
Effect of OptimizationsEffect of Optimizations
Compare preCompare pre-- vs. postvs. post--optimized results for 96 runsoptimized results for 96 runs6 different BDD packages16 benchmark traces eachLimit each run to maximum of 8 CPU hours and 900 MBMeasure speedup = Told / Tnew or:
New: Failed before but now succeedsFail: Fail both timesBad: Succeeded before, but now fails
Generally Stay Small EnoughGenerally Stay Small EnoughEspecially for digital circuit applicationsGiven good choice of variable ordering
Weak CompetitionWeak CompetitionNo other method comes close in overall strengthEspecially with quantification operations
– 37 –
Thoughts on Algorithms ResearchThoughts on Algorithms Research
Need to be Willing to Attack Intractable ProblemsNeed to be Willing to Attack Intractable ProblemsMany real-world problems NP-hardNo approximations for verification
Who Works on These?Who Works on These?Mostly people in application domain
Most work on BDDs in computer-aided design conferencesNot by people with greatest talent in algorithms
No papers in STOC/FOCS/SODAProbably many ways they could improve things
Fundamental dilemmaCan only make weak formal statements about efficiencyUtility demonstrated empirically