Exploration of Large State Spaces Armando Tacchella Lab - Software Engineering DIST – Università di Genova

Scenario  Applications  Formal verification  Planning  Issues  Is there a bug in the design?  Is there a plan to reach the goal?

Formal verification  Modulo 4 counter  Bug: it is not possible to reach s 00 starting from s 01 or s 10  The bug can be discovered, e.g., by trying to reach s 00 either from s 01 or s

Why formal verification? Implementation Bugs Presented at DAC2001 by: Bob Bentley, Intel Corp.

Planning  Blocks world  A block can be:  on top of another block  on top of the table  Blocks can be moved from a source to a destination  The goal is to rebuild the tower upside-down  The plan is the sequence of moves to the goal

Common model  Set of states (configurations)  Transitions between states  Set of initial states  Set of final states  Is there a path from some initial state to some final state?  Solving a reachability problem on a graph

Reachability  Graph representation  each node is a state  each arc is a transition  One ore more sources (initial states)  One ore more targets (final states)  Reachability can be solved with standard graph algorithms  Optimization on the path length can be done using, e.g., Djikstra algorithm

Representing states  States are encoded using vectors of boolean variables  State variable x = { x 1,...,x N }  A state is an assignment of boolean values {0,1} to a state variable  State s = { v 1,...,v N } where v i  {0,1}

How large is the state space?  2 N states (and 2 2N transitions) at most  In real sized problems N is easily >100  How large is ?  Consider that ns ~ 3·10 12 yr  Classical graph representations may not be feasible in practice!

Symbolic encoding  Use boolean formulas to encode:  Initial states I(x)  Transitions T(x, x’)  Final states F(x)  Given two states s,t  I(s) = 1 exactly when s is an initial state  T(s,t) = 1 exactly when there is a transition between s and t  F(s) = 1 exactly when s is a final state

A glimpse into Boolean logic...  Every variable (x1, x2,...) is a formula  If F and G are formulas  F is a formula (negation of F)  F+G (disjunction), F·G (conjunction), F  G (implication) are formulas  Consider the following abbreviations:

Symbolic encoding (example) Counter modulo N  2 N nodesT N  O(N 2 ) symbols

Bounded symbolic reachability  Reaching a final state from an initial one with a path of length at most k (nodes)  If R(s 1,...,s k )=1 then the sequence s 1,...,s k has the following properties (i  {1,...,k}):  I(s 1 )=1  T(s i,s i+1 )=1 for all s i  F(s i )=1 for some s i

Symbolic reachability (example) Modulo 4 counter (bugged) Initial state s 10, final state s 00 R(x 1,x 2,x 3 ) = 0 for all values of x 1,x 2,x 3  s 00 is unreachable from s 10

Solving symbolic reachability  Symbolic encondings enable handling of large state spaces  Bounded symbolic reachability amounts to finding s 1,...,s k s.t. R(s 1,...,s k )=1  Decide whether the boolean formula R is satisfiable or not (a.k.a. SAT problem)  There is no free lunch: SAT is NP-hard!  Is this a limitation?

A glimpse into complexity...  Two resources: TIME (omitted) and SPACE  P = polynomial, EXP = exponential  N = non-deterministic  co = complement of NPco-NP P PSPACEEXP Bounded symbolic reachability and SAT Symbolic reachability and Q-SAT Reachability

Solving SAT: preliminaries  Formulas in Conjunctive Normal Form:  The formula is a set (conjunction) of clauses  Each clause is a set (disjunction) of literals  A literal is a variable or the negation of a variable  Given any formula F it is always possible to produce F’ in CNF s.t. F’ is satisfiable exactly when F is satisfiable and |F’|=poly(|F|)

Formulas and CNF (example) T 4 (x,x’) x  y  x+y (x·y)  x+y T 4 (x,x’) in CNF 

Solving SAT: search algorithm Search(F) Simplify(F) if F=  return 1 if  F return 0 l  ChooseLiteral(F) if Search(F  {l}) then return 1 else return Search(F  {-l}) Simplify(F) while  l : {l}  F do for each C  F : l  C F = F/{C} for each C  F : -l  C F = F/{C}  {C/{-l}} end

Search process (example)

Solving SAT: in practice  The performance of the search algorithm critically depends on  the particular ChooseLiteral heuristic  the amount of simplification performed  the smartness of the backtracking schema  No silver bullet, but state-of-the-art SAT solvers can solve industrial scale problems with thousands of variables!

Research issues  Bounded symbolic reachability via SAT  performs very well on bug-finding  when the error trace is short, or  the diameter of the search space is small  Nevertheless  since there can be up to 2 N states, it may not be feasible for general symbolic reachability, and  it can become impractical even for error traces of reasonable lengths

Research issues (ctd.)  Tools for reasoning with boolean formulas  are routinely used in reasearch and industry  reach good performance and capacity standards  Nevertheless  most of them is special purpose (disposable code)  they are difficult (if not impossible) to integrate into existing systems  most often they are unsupported, undocumented, not robust enough for time/safety/money-critical applications

Lab core research  Encodings for (bounded) symbolic reachability exploiting quantified Boolean formulas  compact and (possibly) effective, but  challenging: solving Q-SAT is PSPACE-hard!  A toolkit for reasoning with Boolean formulas  handles quantified Boolean formulas  features a component-based architecture  Integrates several services, e.g., enumeration of assignments, logic minimization, …  is reasonably efficient w.r.t. special purpose tools

Formal verification projects  FIRB: Knowledge Level Automated Software Engineering ( ends in 2005)  PRIN: Advanced Reasoning Systems for the representation and Formal Verification of Complex Systems (ends in 2004)  INTEL: SAT Solvers for Symbolic Model Checking and Formal Verification ( )

Planning projects  ASI-DOVES: Enabling On-board Autonomy: A platform for the Development of Verified Software (ends in 2004)  ASI-SACSO: Safety Critical Software for planning space robotics (ends in 2004)  ASI-GMES: Un Sistema Innovativo per la gestione di Costellazioni di Satelliti e la sua Applicazione alla Tutela Ambientale (proposta)  RoboCare: Sistema multi-agente con componenti fisse e robotiche mobili intelligenti (fine nel 2005)

FIRB Knowledge Level Automated Software Engineering 4 Milioni di Euro DIT Università di Trento DIS Università “ La Sapienza ” Delisa-Delta Dator Trento DIST Università di Genova IRST Istituto Trentino di Cultura

FIRB (objectives)  A Knowledge Level Automated Software Engineering methodology,  A requirement actor and goal oriented framework  Theories and techniques for the code analysis  A concept demonstrator prototype, integrating the developed techniques  The application of the prototype to a case study

FIRB (activities)  Development of a methodology based on the goal/actors paradigm  Automated Reasoning for validation and verification of software (QBF, BMC, SAT...)  Automated Planning for software development automation  Natural language processing for documentation analysis  Analysis and Testing of systems based on the goal/actors paradigm

Lab activies on FIRB  Development of a planning language for the goal/actor framework  Study and development of planning techniques based on SAT  Study and development of planning techniques based on QBF  Development of a Tool for formal verification

Ricerca tesisti per FIRB  Buone conoscenze di :  Informatica di base (algoritmi e strutture dati)  Linguaggi C/C++ standard  Lingua Inglese  Disponibiltà:  A lavorare sodo in un team giovane e in crescita  A trascorrere periodi a Trento durante la tesi  Ad iniziare la tesi a Settembre/Ottobre 2003  Programma:  Formazione iniziale a Genova durante la tesi  Completemento attività presso ITC/IRST di Trento con contratto di collaborazione annuale