Presentation is loading. Please wait.

Presentation is loading. Please wait.

Optimizing Symbolic Model Checking for Constraint-Rich Systems Randal E. Bryant Bwolen Yang, Reid Simmons, David R. O’Hallaron Carnegie Mellon University.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Optimizing Symbolic Model Checking for Constraint-Rich Systems Randal E. Bryant Bwolen Yang, Reid Simmons, David R. O’Hallaron Carnegie Mellon University."— Presentation transcript:

1 Optimizing Symbolic Model Checking for Constraint-Rich Systems Randal E. Bryant Bwolen Yang, Reid Simmons, David R. O’Hallaron Carnegie Mellon University

2 2 NASA’s Deep Space One (DS1) Spacecraft fault diagnosis model qualitatively describes spacecraft’s behavior

3 3 Autonomous Spacecraft NASA DS1’s Fault Diagnosis Model Fault Diagnosis Model á component’s interconnections (thrusters, motors, valves…) á component’s state: mode (thruster’s force: low / nominal / high) Also in Robot Explorer ( Nomad: Antarctic meteorite explorer) Livingstone Diagnostic Engine [William & Nayak ’96] Sensor Data Fault Diagnosis Model consistent?

4 4 Verification of DS1’s Fault Diagnosis Model [Simmons, CMU] Automatically Translated to SMV Model Checker á state transition == component’s mode changes á time-invariant constraints »sensor values and modes »interconnection between components á automatic translation ==> little / no manual optimization »vs. models built from scratch by verification experts

5 5 Verification of DS1’s Fault Diagnosis Model Challenge Failed due to Large Number of State Variables á 600-1200 state bits »model checker’s capacity: ~ a few hundred state bits Observation á dominated by time-invariant constraints

6 6 Time-Invariant Constraints Example 1 Establish Interface component 2 in min(out, c) == in component 1 out c: capacity of the pipe “in” is redundant

7 7 Time-Invariant Constraints Example 2 Use of Generic Parts (both software / hardware) á specific use ==> constraints bi-directional specialize component 2 in component 1 out redundant components! e.g., valves always set to the same direction

8 8 Time-Invariant Constraints Observation 1 (Example 1 + 2) Many Unnecessary State Variables (macros) á Establish Interface in := min(out, c) á Specific Use of Generic Parts valve-direction := some constant (after inlining the module)

9 9 Time-Invariant Constraints Example 3 Indirection (based on the specification) transition relation next(bus.state) := complex expression f invariant constraints device1.output1 := switch (bus.state) … device1.output2 := switch (bus.state) …

10 10 Time-Invariant Constraints Example 4 Consistent Non-Deterministic Choices invariant constraint cmd := expression f with non-determinism (due to incomplete specification or abstraction) transition relations next(device1.output1) := switch (cmd) … next(device1.output2) := switch (cmd) …

11 11 Time-Invariant Constraints Observation 2 (Example 3 + 4) Variables w/ Constraints Used in Current State Only á Indirection device1.output1 := switch (bus.state) … device1.output2 := switch (bus.state) … á Consistent Non-Deterministic Choices cmd := expression f with non-determinism (due to incomplete specification or abstraction) ==> Corresponding Next-State BDD Variables NOT Used early quantification in pre-image computation »pre-image quantifies out next-state variables

12 12 Time-Invariant Constraints Example 5 Conditional Assignments (tank == non-empty) => (out-pressure.sign := positive) & (out-pressure.relative := nominal) Note á occurs for interface and indirection á mostly simple (as above), but sometimes quite complicated »p1 => ((p2 => (a := …)) & (p3 => (b := …)) »most complicated expression has > 10,000 characters

13 13 Time-Invariant Constraints Observation 3 (Example 5) Combining Time-Invariant ==> Macros p1 => (a := …) p2 => (a := …) p3 => (a := …) … ==> a := some deterministic expression complex expressions ==> syntactic analysis is insufficient

14 14 Time-Invariant Constraints á arise from modeling á may have lots of redundant state bits Our Solutions á remove redundant state variables »identify macros: assignment-extraction algorithm »select macros: BDD characteristics á partition (conjunctive partitioning) remaining constraints »apply an improved version of [Ranjan et al. ’95] algorithm Optimizations for Constraint-Rich Models

15 15 Related Work [Berthet, et al. ’90] [Lin & Newton ’91] [Hu & Dill ’93] [Eijk & Jess ’96] [Sentovich, et al. ’96] Problems á require constraints to be combined first á removal is not always beneficial Redundant State-Variable Removal Problem Statement c ? v == g if so, v is redundant replace v with g Given invariant constraint c and state variable v, Question

16 16 Redundant State-Variable Removal Our Approach: Assignment Extraction Algorithm cici v G i non-deterministic assignment If G i = { g i }, we have v == g i

17 17 Redundant State-Variable Removal Partitioned Constraints c1c1 v G 1 use graph sizes to determine the “goodness” of g v == g ? c2c2 v G 2 cncn v G n

18 18 Target To Construct a Solution for G i for all k K v where K v is the set of possible values of v c i ==> (v G i ) Redundant State-Variable Removal Assignment Extraction Algorithm (Core Idea) c i | v=k ==> (k G i ) [substitute v with k] G i = U ( if c i | v=k then { k } else { } ) k K v

19 19 image(S) =   V. T  (S  C) =   V  W . T  [   W. (S  C) ] where T does not depend on variables in W. á many variables used only in time-invariant constraint Represent C as Conjunctive Partition á C 1  C 2  …  C m á monolithic BDD is too large to build Conjunctive Partitioning of Time-Invariant Constraints

20 20 Optimizations for Constraint-Rich Models Overall Impact time (sec)

21 21 á BDD-Based Macro Optimization Early-Quantification of W for   V. T  [   W. (S  C) ] without and with macro optimization Performance Breakdown

22 22 Effects of BDD-Based Macro ( No Early Quantification) time (sec)

23 23 Effects of BDD-Based Macro: Causes % bdd vars removed

24 24 BDD-Based Macro Optimization á Early-Quantification of W for   V. T  [   W. (S  C) ] without and with macro optimization Performance Breakdown

25 25 Effects of Early Quantification ( No Macro Optimization) time (sec)

26 26 Effects of Early Quantification: Causes ( No Macro Optimization) % bdd vars extracted Maximum achievable = 50%

27 27 Effects of Early Quantification ( With Macro Optimization) time (sec)

28 28 Summary & Future Work Optimizations for Constraint-Rich Models á Enabled verification for DS1’s fault diagnosis model »159 specs within 1 min á Typical of effort required to deal with models generated automatically from modular description BDD Algorithms for Compiler-Type Analysis á Assignment-Extraction Algorithm »cone-of-influence analysis: exact dependence information

Download ppt "Optimizing Symbolic Model Checking for Constraint-Rich Systems Randal E. Bryant Bwolen Yang, Reid Simmons, David R. O’Hallaron Carnegie Mellon University."

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Seyedehmehrnaz Mireslami, Mohammad Moshirpour, Behrouz H. Far Department of Electrical and Computer Engineering University of Calgary, Canada {smiresla,

Seyedehmehrnaz Mireslami, Mohammad Moshirpour, Behrouz H. Far Department of Electrical and Computer Engineering University of Calgary, Canada {smiresla,
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
© Charles Pecheur 1 Dagstuhl 5-9 Nov 2001 Symbolic Model Checking of Domain Models for Autonomous Spacecrafts Charles Pecheur (RIACS / NASA Ames)

© Charles Pecheur 1 Dagstuhl 5-9 Nov 2001 Symbolic Model Checking of Domain Models for Autonomous Spacecrafts Charles Pecheur (RIACS / NASA Ames)
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Give qualifications of instructors: DAP

Give qualifications of instructors: DAP
Problem Solving by Searching Copyright, 1996 © Dale Carnegie & Associates, Inc. Chapter 3 Spring 2007.

Problem Solving by Searching Copyright, 1996 © Dale Carnegie & Associates, Inc. Chapter 3 Spring 2007.
Supervisory Control of Hybrid Systems Written by X. D. Koutsoukos et al. Presented by Wu, Jian 04/16/2002.

Supervisory Control of Hybrid Systems Written by X. D. Koutsoukos et al. Presented by Wu, Jian 04/16/2002.
MBD in real-world system… Self-Configuring Systems Meir Kalech Partially based on slides of Brian Williams.

MBD in real-world system… Self-Configuring Systems Meir Kalech Partially based on slides of Brian Williams.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
CS 151 Digital Systems Design Lecture 37 Register Transfer Level

CS 151 Digital Systems Design Lecture 37 Register Transfer Level
Today’s Agenda  HW #1 Due  Quick Review  Finish Input Space Partitioning  Combinatorial Testing Software Testing and Maintenance 1.

Today’s Agenda  HW #1 Due  Quick Review  Finish Input Space Partitioning  Combinatorial Testing Software Testing and Maintenance 1.
Planning Copyright, 1996 © Dale Carnegie & Associates, Inc. Chapter 11.

Planning Copyright, 1996 © Dale Carnegie & Associates, Inc. Chapter 11.
© Charles Pecheur 1 SAS 2001 Verification and Validation of Model-Based Autonomous Systems Charles Pecheur, RIACS (ARC)

© Charles Pecheur 1 SAS 2001 Verification and Validation of Model-Based Autonomous Systems Charles Pecheur, RIACS (ARC)
Detailed Design Kenneth M. Anderson Lecture 21

Detailed Design Kenneth M. Anderson Lecture 21
1 HW/SW Partitioning Embedded Systems Design. 2 Hardware/Software Codesign “Exploration of the system design space formed by combinations of hardware.

1 HW/SW Partitioning Embedded Systems Design. 2 Hardware/Software Codesign “Exploration of the system design space formed by combinations of hardware.
02/02/20091 Logic devices can be classified into two broad categories Fixed Programmable Programmable Logic Device Introduction Lecture Notes – Lab 2.

02/02/20091 Logic devices can be classified into two broad categories Fixed Programmable Programmable Logic Device Introduction Lecture Notes – Lab 2.
Presenter : Shih-Tung Huang Tsung-Cheng Lin Kuan-Fu Kuo 2015/6/15 EICE team Model-Level Debugging of Embedded Real-Time Systems Wolfgang Haberl, Markus.

Presenter : Shih-Tung Huang Tsung-Cheng Lin Kuan-Fu Kuo 2015/6/15 EICE team Model-Level Debugging of Embedded Real-Time Systems Wolfgang Haberl, Markus.
Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.

Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.

Similar presentations

Ads by Google