Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Implicit and explicit exploration of the reachable state space of Esterel logical circuits December 12 th, 2002 Yannis BRES Advisor: Gérard BERRY PhD.

Similar presentations


Presentation on theme: "1 Implicit and explicit exploration of the reachable state space of Esterel logical circuits December 12 th, 2002 Yannis BRES Advisor: Gérard BERRY PhD."— Presentation transcript:

1 1 Implicit and explicit exploration of the reachable state space of Esterel logical circuits December 12 th, 2002 Yannis BRES Advisor: Gérard BERRY PhD Defense

2 2 Outline Introduction: Context of this work, the reactive synchronous approach, Esterel, automata and circuits, reachable state space computation, BDDs I – Pure implicit approach: A formal verifier offering variable inputization or abstraction II – Enumerative approach: A versatile engine for the exploration of reachable state spaces: Automaton generation Formal verification Exhaustive test sequence generation Conclusions and future prospects

3 3 The reactive synchronous approach Based upon the semantic model of Finite State Machines (FSMs) Reactive programs: Execution split in reactions (instants), time is discrete Synchronous programs: Theoretical simplification: reaction duration is 0, instantaneous broadcast Environment analysis then reaction to this environment Broad application domain: Real-time systems Control/supervision of industrial processes Embedded systems Physical controlers …

4 4 Esterel A reactive synchronous imperative language with control-flow dominance Modules/blocks run in parallel or sequentially Modules/blocks can be preempted, suspended and resumed Communication performed through instantaneously broadcast signals Formal semantics module Synchronize : inputA, B; outputO; [ await A || await B ] ; emit O end module

5 5 Explicit automata Central design representation in Esterel v1, v2, v3: automata module Synchronize : inputA, B; outputO; [ await A || await B ] ; emit O end module Automata can be exponentials both:  in construction time  in storage space

6 6 Circuits Central design representation since Esterel v4: logical circuits Generation time and storage space are linear with respect to source code size

7 7 Automata vs. Circuits Let's add a C signal in the previous program…

8 8 Automata vs. Circuits Let's add a C signal in the previous program…

9 9 Formal verification by observers module Synchronize : inputA, B; outputO; [ await A || await B ] ; emit O end module abort await O ; emit BUG when A || Observers run in parallel with the program to be verified Safety properties: "something wrong never occurs" Safety properties: "something good will occur sooner or later" Answer formally to the question: "can BUG ever be emitted?"

10 10 Reachable state space computation reachable state space computation (RSS) Cornerstone of numerous applications: automaton generation generation of exhaustive test sequences formal verification equivalence checking

11 11 Reachable state space computation approachstate analysis transition analysis pure implicit BDDs enumerative implicit explicit Several approaches to RSS computation: "Onion" representation, by depth level: Initial state States reachable in 1 tick States reachable in 2 ticks States reachable in 3 ticks …

12 12 Binary Decision Diagrams (BDDs) Variable ordering is constant within the whole tree (here: x 1 < y 1 < x 2 < y 2 ) Variable node (x 1, x 2, y 1, y 2 ) Terminal node (0 or 1 constants) "When false" path "When true" path x1x1 y1y1 y1y1 x2x2 x2x2 x2x2 x2x2 y2y2 y2y2 y2y2 y2y2 y2y2 y2y2 y2y2 y2y (x 1  y 1 )  (x 2  y 2 )

13 13 Binary Decision Diagrams (BDDs) Several simplification rules: x1x1 y1y1 y1y1 x2x2 x2x2 x2x2 x2x2 y2y2 y2y2 y2y2 y2y2 y2y2 y2y2 y2y2 y2y ) 0 Useless tests are removed (x 1  y 1 )  (x 2  y 2 )

14 14 Binary Decision Diagrams (BDDs) Several simplification rules: x1x1 y1y1 y1y1 x2x2 x2x2 y2y2 y2y2 y2y2 y2y ) 0 2) Useless tests are removed Isomorph nodes/trees are shared (x 1  y 1 )  (x 2  y 2 )

15 15 Binary Decision Diagrams (BDDs) Several simplification rules: 1) 2) 3) x2x2 x2x2 x2x2 y2y2 y2y2 y2y2 y2y2 y2y2 y2y x1x1 y1y1 y1y1 x2x2 y2y2 y2y2 10 Useless tests are removed Isomorph nodes/trees are shared Edges are tagged in order to share opposite nodes (not shown here) (x 1  y 1 )  (x 2  y 2 )

16 16 Binary Decision Diagrams (BDDs) Worst-case complexities in both time and space: In most cases: Very efficient algorithms for boolean function manipulations A very compact representation of boolean functions Representation of sets through their caracteristic function Representation of functions associated to circuit gates Uses: =, -constant , ,  quadratic , substitutions exponential

17 17 Reachable state space computation using BDDs Exponentially complex wrt the number of involved variables: 1 BBD variable per input Intermediate variable: must be , doesn't appear in results 1 BDD variable per state variables (register/latch)  Goal: reducing the number of state variables! Persistent variable: must be , appears in results

18 18 Outline Introduction: Context of this work, the reactive synchronous approach, Esterel, automata and circuits, reachable state space computation, BDDs I – Pure implicit approach: A formal verifier offering variable inputization or abstraction II – Enumerative approach: A versatile engine for the exploration of reachable state spaces: Automaton generation Formal verification Exhaustive test sequence generation Conclusions and future prospects

19 19 Reducing the number of variables A usual technique for state variable number reduction: Turn state variables into free inputs (inputization) Less variables to substitute As many variables to  Our approach: abstract variables using a ternary-valued logic (0,1,d) Variables to be abstracted are replaced by the constant d (indifferent) Less variables to substitute Less variables to  Ternary-valued logic (0,1,d) :  dd  01d d d0dd  01d 001d 1111 dd1d vv0v0 v1v d = Abstracted variables are pre-quantified

20 20 Inputization and abstraction: example inputA, B; outputO; [ await A || await B ] ; emit O inputizationabstraction

21 21 Over-approximation Both inputization and abstraction weakens contraints between variables  Conservative over-approximation with respect to the RSS  "Snowball effect" Inputization maintains correlation between variable instances r   r  i   i = 0r   r  i   i = 1 Abstraction loses correlation between variable instances r   r  d   d = dr   r  d   d = d  Formal verif.: no erroneous validation, only erroneous refutations + -

22 22 Over-approximation Both inputization and abstraction weakens contraints between variables  Conservative over-approximation with respect to the RSS  "Snowball effect" Inputization maintains correlation between variable instances r   r  i   i = 0r   r  i   i = 1 Abstraction lose correlation between variable instances r   r  d   d = dr   r  d   d = d  Formal verif.: no erroneous validation, only erroneous refutations Additional source of over-approximation within the RSS computation when using a ternary-valued logic: set widening In practice, when over-approximation races out of control, erroneous refutations arise very quickly and computations stop +

23 23 The Esterel selection tree [ await I1 ; do something ; await I2 ; do something || await I3 ; do something ] ; await I4 ; do something #  # Allows to reduce over-approximation in two ways: Reinforcement of relations between inputs for inputized variables RSS ceiling

24 24 Our formal verifier: evcl Esterel Verification Command Line Main functionalities: Over-approximation reduction using structural informations White-box (integrated observers) / Black-box (external observers) … > lines of C++ (and > lines of shared libraries) Variable inputization and abstraction Experimentations: (Mirage fuel management system, A380 warning system) Abstraction can be up to 26 times faster than inputization When over-approximation races out of control, computations stop quickly  Nothing to lose in trying it!

25 25 Outline Introduction: Context of this work, the reactive synchronous approach, Esterel, automata and circuits, reachable state space computation, BDDs I – Pure implicit approach: A formal verifier offering variable inputization or abstraction II – Enumerative approach: A versatile engine for the exploration of reachable state spaces: Automaton generation Formal verification Exhaustive test sequence generation Conclusions and future prospects

26 26 Reachable state space computation approachstate analysis transition analysis pure implicit BDDs enumérative implicit explicit Several approaches to RSS computation: "Onion" representation, by depth level: Initial state States reachable in 1 tick States reachable in 2 ticks States reachable in 3 ticks …

27 27 Enumerative RSS computation A versatile engine for the exploration of reachable state spaces: States are individually analysed by propagating information within the circuit Pure explicit approach: Transitions analysed through recursive branchings on inputs Hybrid implicit/explicit approach: Transitions analysed through BDD propagations Automaton generation Transparent support for (constructive) cyclic circuits Several heuristics aiming at avoiding time or space explosion  Very good performances > lines of C++ (and > lines of shared libraries) Formal verification Exhaustive test sequence generation

28 28 Automaton generation Risk of explosion in both time and space A maximum of the control flow is computed at compilation time Usually a very efficient implementation Only data-dependent expressions remain to be evaluated at run time Central design representation in Esterel v1, v2, v3: automata Central design representation since Esterel v4: logical circuits Automaton generation has been neglected since v4: v4 generator had very bad performances Automata explicit numerous informations concerning designs Basically linear wrt source code in both generation time and storage space Advantages of automata remain! v4 generator could not handle cyclic circuits …

29 29 Automaton generation Enumerative approach practicaly unavoidable Pure explicit approach better than hybrid approach How to generate an automaton? Our automaton generator, scoc : By far more efficient than the v4 generator Integrated into the Esterel compiler since v5_91 (too much BDD cofactorisations are required) (for the respect of action causality) From now on marketed by Esterel Technologies Inc.

30 30 Application to formal verification Pure implicit approach unavoidable for most designs Pure implicit approach drawbacks: Behaviour difficult to foresee, risks of explosion Can only be applied to acyclic circuits Very sensitive to redundant registers Enumerative approach pros: Behaviour usually very steady Transparent support for cyclic circuits Non-sensitive to redundant registers or design depth Usually a lot much slower, can only be used in precise cases: Deep designs (SAT   ) Designs with numerous redundant registers (BDDs   )

31 31 Formal verification – experimentations Purely linear testbench (depth: 243; states: 243) Texas Instruments data bus (depth: 181; states: ) SAT (Prover) pure implicit approach pure explicit approach implicit / explicit approach no result after >3h39mn1.6s1.8s < 40 Mb8.5 Mbinsignifiant memory consumption SAT (Prover) pure implicit approach pure explicit approach implicit / explicit approach nothing after several hours 17mn:  (depth 9) 2h 33mn3h 09mn ???2 Gb104 Mb110 Mb

32 32 Generation of exhaustive test sequences Finite State Machine semantic model: Different coverage goals: State coverage Coverage of pathes leading to specific signals emission Transition coverage …  Generation of exhaustive tests sequences is feasible

33 33 Generation of exhaustive test sequences Esterel Technologies approach: pure implicit Standard RSS computation (except for transition coverage) Transitions are built by reverse image computations Coverage data updates  BDD updates Complete transition coverage not implemented Only connected state pairs are connected Enumerative approach is more suited and not sensitive to coverage goal Number of state variables is doubled

34 34 State coverage – Experimentations designstates implicit approach implicit / explicit approach ratio # sequ.time# sequ.time NDA  3.5 Arbiter1213cyclic10.03 NDA  3.5 Wristwatch  16 NDA  11 ATDS-100-C  36 Renault  39 Testbench243killed after >>1h13.16 TCINT  86 NDA  76 NDA  39

35 35 Conclusions A formal verification tool based on pure implicit approach: An engine for the exploration of reachable state spaces: Automaton generation Formal verification Variables can be replaced by free inputs Variables can be abstracted using a ternary-valued logic Over-approximation reduction using structural information White/Black box verification … Enumerative analysis of states Generation of exhaustive test sequences Explicit or implicit analysis of transitions Versatile:

36 36 Future prospects Implicit approach: Variable weighting heuristics of Quer/Cabodi et al. ? Automate the selection of variables to inputize/abstract Combine variable abstraction and RSS computation decomposition Enumerative approach: Compact the known state table State analysis prioritization (bug chasing) In case of excessive over-approximation, refine abstraction Counter-example analysis of Clarke/Grumberg et al. Cho/Govidaraju et al. approaches … Bitstate hashing of Holzmann, hash compaction of Stern/Dill et al. Yang/Dill et al. …


Download ppt "1 Implicit and explicit exploration of the reachable state space of Esterel logical circuits December 12 th, 2002 Yannis BRES Advisor: Gérard BERRY PhD."

Similar presentations


Ads by Google