Optimizing Symbolic Model Checking for Constraint-Rich Systems Randal E. Bryant Bwolen Yang, Reid Simmons, David R. O’Hallaron Carnegie Mellon University.

Slides:



Advertisements
Similar presentations
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Advertisements

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Seyedehmehrnaz Mireslami, Mohammad Moshirpour, Behrouz H. Far Department of Electrical and Computer Engineering University of Calgary, Canada {smiresla,
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
© Charles Pecheur 1 Dagstuhl 5-9 Nov 2001 Symbolic Model Checking of Domain Models for Autonomous Spacecrafts Charles Pecheur (RIACS / NASA Ames)
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Give qualifications of instructors: DAP
Problem Solving by Searching Copyright, 1996 © Dale Carnegie & Associates, Inc. Chapter 3 Spring 2007.
Supervisory Control of Hybrid Systems Written by X. D. Koutsoukos et al. Presented by Wu, Jian 04/16/2002.
MBD in real-world system… Self-Configuring Systems Meir Kalech Partially based on slides of Brian Williams.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
CS 151 Digital Systems Design Lecture 37 Register Transfer Level
Today’s Agenda  HW #1 Due  Quick Review  Finish Input Space Partitioning  Combinatorial Testing Software Testing and Maintenance 1.
Planning Copyright, 1996 © Dale Carnegie & Associates, Inc. Chapter 11.
© Charles Pecheur 1 SAS 2001 Verification and Validation of Model-Based Autonomous Systems Charles Pecheur, RIACS (ARC)
Detailed Design Kenneth M. Anderson Lecture 21
1 HW/SW Partitioning Embedded Systems Design. 2 Hardware/Software Codesign “Exploration of the system design space formed by combinations of hardware.
02/02/20091 Logic devices can be classified into two broad categories Fixed Programmable Programmable Logic Device Introduction Lecture Notes – Lab 2.
Presenter : Shih-Tung Huang Tsung-Cheng Lin Kuan-Fu Kuo 2015/6/15 EICE team Model-Level Debugging of Embedded Real-Time Systems Wolfgang Haberl, Markus.
Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.
Sanjit A. Seshia and Randal E. Bryant Computer Science Department
Chapter 13 Embedded Systems
1/31/20081 Logic devices can be classified into two broad categories Fixed Programmable Programmable Logic Device Introduction Lecture Notes – Lab 2.
The Rare Glitch Project: Verification Tools for Embedded Systems Carnegie Mellon University Pittsburgh, PA Ed Clarke, David Garlan, Bruce Krogh, Reid Simmons,
Presenter: PCLee Design Automation Conference, ASP-DAC '07. Asia and South Pacific.
CSC 402, Fall Requirements Analysis for Special Properties Systems Engineering (def?) –why? increasing complexity –ICBM’s (then TMI, Therac, Challenger...)
Describing Syntax and Semantics
Word Level Predicate Abstraction and Refinement for Verifying RTL Verilog Himanshu Jain Daniel Kroening Natasha Sharygina Edmund Clarke Carnegie Mellon.
1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
CIS607, Fall 2005 Semantic Information Integration Article Name: Clio Grows Up: From Research Prototype to Industrial Tool Name: DH(Dong Hwi) kwak Date:
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
Principle of Functional Verification Chapter 1~3 Presenter : Fu-Ching Yang.
Architectural Design Establishing the overall structure of a software system Objectives To introduce architectural design and to discuss its importance.
State coverage: an empirical analysis based on a user study Dries Vanoverberghe, Emma Eyckmans, and Frank Piessens.
Strong Method Problem Solving.
Maria-Cristina Marinescu Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology A Synthesis Algorithm for Modular Design of.
EECS 262a Advanced Topics in Computer Systems Lecture 26 seL4 Kernel verification December 3rd, 2014 John Kubiatowicz Electrical Engineering and Computer.
Chapter 6 System Engineering - Computer-based system - System engineering process - “Business process” engineering - Product engineering (Source: Pressman,
Using Mathematica for modeling, simulation and property checking of hardware systems Ghiath AL SAMMANE VDS group : Verification & Modeling of Digital systems.
Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007.
Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.
Section 10: Advanced Topics 1 M. Balakrishnan Dept. of Comp. Sci. & Engg. I.I.T. Delhi.
CS6133 Software Specification and Verification
1 Introduction to Software Engineering Lecture 1.
CP Summer School Modelling for Constraint Programming Barbara Smith 2. Implied Constraints, Optimization, Dominance Rules.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 11 Slide 1 Design.
2/19/20031 Introduction to SMV. 2/19/20032 Useful Links CMU Model checking homepage SMV windows version
Model Checking and Model-Based Design Bruce H. Krogh Carnegie Mellon University.
Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 1 Georg Hofferek and Roderick Bloem Institute for Applied.
1 Computer Group Engineering Department University of Science and Culture S. H. Davarpanah
SFWR ENG 3KO4 Slide 1 Management of Software Engineering Chapter 8: Fundamentals of Software Engineering C. Ghezzi, M. Jazayeri, D. Mandrioli.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.
Predicate Abstraction. Abstract state space exploration Method: (1) start in the abstract initial state (2) use to compute reachable states (invariants)
OR Chapter 8. General LP Problems Converting other forms to general LP problem : min c’x  - max (-c)’x   = by adding a nonnegative slack variable.
Reachability for Linear Hybrid Automata Using Iterative Relaxation Abstraction Sumit K. Jha, Bruce H. Krogh, James E. Weimer, Edmund M. Clarke Carnegie.
Controller Synthesis for Pipelined Circuits Using Uninterpreted Functions Georg Hofferek and Roderick Bloem. MEMOCODE 2011.
Compositional Verification for System-on-Chip Designs SRC Student Symposium Paper 16.5 Nishant Sinha Edmund Clarke Carnegie Mellon University.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.
The PLA Model: On the Combination of Product-Line Analyses 강태준.
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Data Center Network Architectures
Reading B. Williams and P. Nayak, “A Reactive Planner for a Model-based Executive,” International Joint Conference on Artificial Intelligence, 1997.
Instructor: Rajeev Alur
SS 2018 Software Verification ML, state machines
Lesson 4 Synchronous Design Architectures: Data Path and High-level Synthesis (part two) Sept EE37E Adv. Digital Electronics.
Introduction to SMV 2/19/2003.
Dichotomies in CSP Karl Lieberherr inspired by the paper:
Presentation transcript:

Optimizing Symbolic Model Checking for Constraint-Rich Systems Randal E. Bryant Bwolen Yang, Reid Simmons, David R. O’Hallaron Carnegie Mellon University

2 NASA’s Deep Space One (DS1) Spacecraft fault diagnosis model qualitatively describes spacecraft’s behavior

3 Autonomous Spacecraft NASA DS1’s Fault Diagnosis Model Fault Diagnosis Model á component’s interconnections (thrusters, motors, valves…) á component’s state: mode (thruster’s force: low / nominal / high) Also in Robot Explorer ( Nomad: Antarctic meteorite explorer) Livingstone Diagnostic Engine [William & Nayak ’96] Sensor Data Fault Diagnosis Model consistent?

4 Verification of DS1’s Fault Diagnosis Model [Simmons, CMU] Automatically Translated to SMV Model Checker á state transition == component’s mode changes á time-invariant constraints »sensor values and modes »interconnection between components á automatic translation ==> little / no manual optimization »vs. models built from scratch by verification experts

5 Verification of DS1’s Fault Diagnosis Model Challenge Failed due to Large Number of State Variables á state bits »model checker’s capacity: ~ a few hundred state bits Observation á dominated by time-invariant constraints

6 Time-Invariant Constraints Example 1 Establish Interface component 2 in min(out, c) == in component 1 out c: capacity of the pipe “in” is redundant

7 Time-Invariant Constraints Example 2 Use of Generic Parts (both software / hardware) á specific use ==> constraints bi-directional specialize component 2 in component 1 out redundant components! e.g., valves always set to the same direction

8 Time-Invariant Constraints Observation 1 (Example 1 + 2) Many Unnecessary State Variables (macros) á Establish Interface in := min(out, c) á Specific Use of Generic Parts valve-direction := some constant (after inlining the module)

9 Time-Invariant Constraints Example 3 Indirection (based on the specification) transition relation next(bus.state) := complex expression f invariant constraints device1.output1 := switch (bus.state) … device1.output2 := switch (bus.state) …

10 Time-Invariant Constraints Example 4 Consistent Non-Deterministic Choices invariant constraint cmd := expression f with non-determinism (due to incomplete specification or abstraction) transition relations next(device1.output1) := switch (cmd) … next(device1.output2) := switch (cmd) …

11 Time-Invariant Constraints Observation 2 (Example 3 + 4) Variables w/ Constraints Used in Current State Only á Indirection device1.output1 := switch (bus.state) … device1.output2 := switch (bus.state) … á Consistent Non-Deterministic Choices cmd := expression f with non-determinism (due to incomplete specification or abstraction) ==> Corresponding Next-State BDD Variables NOT Used early quantification in pre-image computation »pre-image quantifies out next-state variables

12 Time-Invariant Constraints Example 5 Conditional Assignments (tank == non-empty) => (out-pressure.sign := positive) & (out-pressure.relative := nominal) Note á occurs for interface and indirection á mostly simple (as above), but sometimes quite complicated »p1 => ((p2 => (a := …)) & (p3 => (b := …)) »most complicated expression has > 10,000 characters

13 Time-Invariant Constraints Observation 3 (Example 5) Combining Time-Invariant ==> Macros p1 => (a := …) p2 => (a := …) p3 => (a := …) … ==> a := some deterministic expression complex expressions ==> syntactic analysis is insufficient

14 Time-Invariant Constraints á arise from modeling á may have lots of redundant state bits Our Solutions á remove redundant state variables »identify macros: assignment-extraction algorithm »select macros: BDD characteristics á partition (conjunctive partitioning) remaining constraints »apply an improved version of [Ranjan et al. ’95] algorithm Optimizations for Constraint-Rich Models

15 Related Work [Berthet, et al. ’90] [Lin & Newton ’91] [Hu & Dill ’93] [Eijk & Jess ’96] [Sentovich, et al. ’96] Problems á require constraints to be combined first á removal is not always beneficial Redundant State-Variable Removal Problem Statement c ? v == g if so, v is redundant replace v with g Given invariant constraint c and state variable v, Question

16 Redundant State-Variable Removal Our Approach: Assignment Extraction Algorithm cici v G i non-deterministic assignment If G i = { g i }, we have v == g i

17 Redundant State-Variable Removal Partitioned Constraints c1c1 v G 1 use graph sizes to determine the “goodness” of g v == g ? c2c2 v G 2 cncn v G n

18 Target To Construct a Solution for G i for all k K v where K v is the set of possible values of v c i ==> (v G i ) Redundant State-Variable Removal Assignment Extraction Algorithm (Core Idea) c i | v=k ==> (k G i ) [substitute v with k] G i = U ( if c i | v=k then { k } else { } ) k K v

19 image(S) =   V. T  (S  C) =   V  W . T  [   W. (S  C) ] where T does not depend on variables in W. á many variables used only in time-invariant constraint Represent C as Conjunctive Partition á C 1  C 2  …  C m á monolithic BDD is too large to build Conjunctive Partitioning of Time-Invariant Constraints

20 Optimizations for Constraint-Rich Models Overall Impact time (sec)

21 á BDD-Based Macro Optimization Early-Quantification of W for   V. T  [   W. (S  C) ] without and with macro optimization Performance Breakdown

22 Effects of BDD-Based Macro ( No Early Quantification) time (sec)

23 Effects of BDD-Based Macro: Causes % bdd vars removed

24 BDD-Based Macro Optimization á Early-Quantification of W for   V. T  [   W. (S  C) ] without and with macro optimization Performance Breakdown

25 Effects of Early Quantification ( No Macro Optimization) time (sec)

26 Effects of Early Quantification: Causes ( No Macro Optimization) % bdd vars extracted Maximum achievable = 50%

27 Effects of Early Quantification ( With Macro Optimization) time (sec)

28 Summary & Future Work Optimizations for Constraint-Rich Models á Enabled verification for DS1’s fault diagnosis model »159 specs within 1 min á Typical of effort required to deal with models generated automatically from modular description BDD Algorithms for Compiler-Type Analysis á Assignment-Extraction Algorithm »cone-of-influence analysis: exact dependence information

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.