Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 540 Principles of Embedded Computation Spring 2016 Instructor: Rajeev Alur

Published byShannon Dennis Modified over 8 years ago

Similar presentations

Presentation on theme: "CIS 540 Principles of Embedded Computation Spring 2016 Instructor: Rajeev Alur"— Presentation transcript:

1 CIS 540 Principles of Embedded Computation Spring 2016 http://www.seas.upenn.edu/~cis540/ Instructor: Rajeev Alur alur@cis.upenn.edu

2 Recap: Symbolic Transition Systems  Region over variables X is a data structure that represents a set of states assigning values to X  Transition system T with state variables S represented by  Region  I over S for initial states  Region  T over S U S’ for transitions  Symbolic representation can be compiled automatically from code for updating variables  To get  T from reaction description of a Synchronous Reactive Component, local/input/output vars must be existentially quantified (see textbook for examples) CIS 540 Spring 2016; Lecture Feb 15

3 Operations on Regions  In general, we want to represent sets of states by a data type reg, which should support following operations  Disj(A,B): Returns region that contains states either in A or in B  For formulas, this is just “A | B”  Conj(A,B): Returns region containing states that are in both A and B  For formulas, this is just “A & B”  Diff(A,B): Returns region containing states in A but not in B  For formulas, this is “A & ~B”  IsEmpty(A): Returns 0 if region A contains some state, and 1 otherwise  For formulas, this requires testing “satisfiability”: can the variables in the formulas assigned values to make formula true  Exists(A,X): Returns projection of A by quantifying variables in X  For formulas, this requires “quantifier elimination”  Rename(A,X,Y): Rename variables in X to corresponding vars in Y  For formulas, this is textual substitution CIS 540 Spring 2016; Lecture Feb 15

4 Symbolic Image Computation  Given:  A of type reg over state variables S  Trans of type reg over S U S’  Post(A, Trans) = Rename(Exists(Conj(A,Trans),S), S’, S) 1.Take conjunction of A and Trans 2.Project out the variables in S using existential quantification 3.Rename primed variables to get a region over S CIS 540 Spring 2016; Lecture Feb 15

5 Symbolic Breadth-First-Search Algorithm  Algorithm for checking if a property  is an invariant of T?  Same as checking if an “error” state satisfying ~  is reachable?  We need to check at every step if error states reached; if so, stop.  If no new states are encountered, then also stop (invariant satisfied) reach 0 = Initial states and each reach i+1 obtained from reach i by applying Post CIS 540 Spring 2016; Lecture Feb 15

6 Symbolic BFS Algorithm Given region Init over S, region Trans over S U S’, and region  over S, if  is reachable in T then return 1, else return 0 reg Reach := Init; /* States found reachable */ reg New := Init; /* States not yet explored for outgoing transitions */ while IsEmpty(New) = 0 { /* while there are states to be explored */ if IsEmpty(Conj(New,  )) =0 /* Property  found reachable */ then return 1 (and stop); New := Diff(Post(New,Trans),Reach); /*These are states in post-image of New, but not previously found reachable, so to be explored */ Reach := Disj(Reach, New); /* Update Reach by newly found states*/ }; return 0; /* All states explored without encountering  */ CIS 540 Spring 2016; Lecture Feb 15

7 Frontier Computation in Symbolic BFS Reach New Post(New) Reach New CIS 540 Spring 2016; Lecture Feb 15

8 Symbolic Search  Correctness: When the algorithm stops, its answer (whether the property  is reachable or not) is correct  Termination: Number of iterations depends on  length of shortest execution leading to a state satisfying   Diameter: smallest d such that all states reachable within d steps (this may not be bounded, if system is not finite-state)  In practice, terminates if one of these numbers is small  Used in practice for hardware verification, protocol verification  Industrial-strength symbolic model checker: Cadence  Open-source widely used academic tool: NuSMV CIS 540 Spring 2016; Lecture Feb 15

9 Implementation of Regions  Key to efficient implementation: How to represent regions?  Operations: Disj, Conj, Diff, IsEmpty, Exists, Rename  Suppose all variables are Booleans  Can we represent regions with formulas (with &, |, ~)  Disj, Conj, Diff, Rename easy  Exists ( ,x) same as  [x->0] |  [x->1]  IsEmpty(  ) requires test for satisfiability (SAT)  SAT is computationally demanding (NP-complete), but more importantly, size of formula representing Reach keeps growing as we apply operations such as Conj, Disj, Exists…  Key to performance: Simplify formulas as much as possible  Solution: Data structure of ROBDDs CIS 540 Spring 2016; Lecture Feb 15

10 Ordered Binary Decision Diagram Formula: ( x | ~ y) & (y | z) x 1 0 y 1 0 y 1 0 z 1 0 z 1 0 z 1 0 z 1 0 01000111 CIS 540 Spring 2016; Lecture Feb 15

11 Reduced Ordered Binary Decision Diagram Formula: ( x | ~ y) & (y | z) Reduce size: Rule 1: Merge isomorphic vertices Rule 2: Eliminate a node if left child equals right child x 1 0 y 1 0 y 1 0 z 1 0 z 1 0 z 1 0 z 1 0 01000111 CIS 540 Spring 2016; Lecture Feb 15

12 Reduced Ordered Binary Decision Diagram Formula: ( x | ~ y) & (y | z) x 1 0 y 1 0 y 1 0 z 1 0 z 1 0 z 1 0 z 1 0 0 1 Rule 1: Merge isomorphic vertices Rule 2: Eliminate a node if left child equals right child Can be eliminated by Rule 2 Can be merged by Rule 1 CIS 540 Spring 2016; Lecture Feb 15

13 Reduced Ordered Binary Decision Diagram Formula: ( x | ~ y) & (y | z) x 1 0 y 1 0 y 1 0 z 1 0 0 1 Rule 1: Merge isomorphic vertices Rule 2: Eliminate a node if left child equals right child z y | z ~y | z No more reduction possible! CIS 540 Spring 2016; Lecture Feb 15

14 ROBDD Properties  Key restriction: Variables appear in same order on each path  Not every variable needs to appear on every path  The order in which reductions are applied does not matter  Final result depends only on the function being represented  Once we fix variable ordering, corresponding ROBDD is canonical  Minimal: Smallest possible decision graph given the ordering restriction  No other reductions possible  One does not have to first build the complete tree, and then reduce CIS 540 Spring 2016; Lecture Feb 15

15 Example Constructing ROBDD Formula: ( x & y) | (x’ & y’) x 1 0 y | (x’ & y’) 0 y’ 1 0 0 0 1 1 Ordering: x < y < x’ < y’ (x’ & y’) x’ 1 y’ y CIS 540 Spring 2016; Lecture Feb 15

16 ROBDD Definition Given a set X of Boolean vars ordered by <, ROBDD B consists of  Finite set U of vertices partitioned into internal and terminal  Labeling function: for internal vertex u, label(u) is a variable in X and for terminal vertex u, label(u) is a constant 0/1  Left-child function for internal vertices such that either left(u) is terminal, or label(u) < label(left(u))  Right-child function for internal vertices such that either right(u) is terminal, or label(u) < label(right(u))  Meets the reduction rules: 1.If u and v are distinct terminal vertices then label(u) != label(v) 2.If u and v are distinct internal vertices then either label(u) != label(v) or left(u) != left(v) or right(u) != right(v) 3.If u is internal vertex, then left(u) != right(u)  Semantics of a vertex: Boolean function associated with it CIS 540 Spring 2016; Lecture Feb 15

17 Example: Ordering Affects Size Formula: ( x y) & (x’ y’) Ordering: x < y < x’ < y’Ordering: x < x’ < y < y’ CIS 540 Spring 2016; Lecture Feb 15

18 ROBDD Properties  For every Boolean function/formula f over variables V, given an ordering <, there exists a unique ROBDD for f over (V,<)  To test if two formulas/circuits f and g are equivalent, we can build ROBDDs for f and g, check if they are the same  Satisfiability/emptiness test: Given an ROBDD B, is the corresponding function satisfiable?  B is satisfiable if it does not equal terminal vertex 0  Validity test: Given an ROBDD B, is the corresponding function valid (that is, always 1 no matter what the values of variables are)  B is valid if it equals terminal vertex 1  How to reconcile this with the computational difficulty of checking satisfiability/validity of formulas/circuits?  ROBDD corresponding to a formula can be exponentially large!  For some functions, no matter what ordering we choose, the ROBDD is guaranteed to be large! (Hope: this is not a common case) CIS 540 Spring 2016; Lecture Feb 15

19 ROBDD Implementation  Efficient data structures and implementations known  Algorithms for operations such as Conj, Disj, Diff  Given ROBDDs B1 and B2, construct ROBDD representing the AND of corresponding functions directly  Given a formula/circuit/program-text construct ROBDD representing the corresponding transition relation  How to choose a “good” variable ordering?  See textbook (page 115 onwards) for some basic ideas for efficient implementation CIS 540 Spring 2016; Lecture Feb 15

Download ppt "CIS 540 Principles of Embedded Computation Spring 2016 Instructor: Rajeev Alur"

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
Problems and Their Classes

Problems and Their Classes
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
BDDs & Theorem Proving Binary Decision Diagrams Dr. Eng. Amr T. Abdel-Hamid NETW 703 Winter 2012 Network Protocols Lectures are based on slides by: K.

BDDs & Theorem Proving Binary Decision Diagrams Dr. Eng. Amr T. Abdel-Hamid NETW 703 Winter 2012 Network Protocols Lectures are based on slides by: K.
Lecture 24 MAS 714 Hartmut Klauck

Lecture 24 MAS 714 Hartmut Klauck
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
CS357 Lecture: BDD basics David Dill 1. 2 BDDs (Boolean/binary decision diagrams) BDDs are a very successful representation for Boolean functions. A BDD.

CS357 Lecture: BDD basics David Dill 1. 2 BDDs (Boolean/binary decision diagrams) BDDs are a very successful representation for Boolean functions. A BDD.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Similar presentations

Ads by Google