280 likes | 363 Vues
Optimizing Symbolic Model Checking for Constraint-Rich Systems. Randal E. Bryant Bwolen Yang, Reid Simmons, David R. O’Hallaron Carnegie Mellon University. NASA’s Deep Space One (DS1) Spacecraft. fault diagnosis model qualitatively describes spacecraft’s behavior.
E N D
Optimizing Symbolic Model Checkingfor Constraint-Rich Systems Randal E. Bryant Bwolen Yang, Reid Simmons, David R. O’Hallaron Carnegie Mellon University
NASA’s Deep Space One (DS1) Spacecraft fault diagnosis model qualitatively describes spacecraft’s behavior
Livingstone Diagnostic Engine [William & Nayak ’96] consistent? Sensor Data Fault Diagnosis Model Autonomous SpacecraftNASA DS1’s Fault Diagnosis Model • Fault Diagnosis Model • component’s interconnections (thrusters, motors, valves…) • component’s state: mode (thruster’s force: low / nominal / high) • Also in Robot Explorer (Nomad: Antarctic meteorite explorer)
Verification of DS1’s Fault Diagnosis Model[Simmons, CMU] • Automatically Translated to SMV Model Checker • state transition == component’s mode changes • time-invariant constraints • sensor values and modes • interconnection between components • automatic translation ==> little / no manual optimization • vs. models built from scratch by verification experts
Verification of DS1’s Fault Diagnosis ModelChallenge • Failed due to Large Number of State Variables • 600-1200 state bits • model checker’s capacity: ~ a few hundred state bits • Observation • dominated by time-invariant constraints
component 1 component 2 out in c: capacity of the pipe min(out, c) == in Time-Invariant ConstraintsExample 1 • Establish Interface “in” is redundant
specialize bi-directional component 1 component 2 out in Time-Invariant ConstraintsExample 2 • Use of Generic Parts (both software / hardware) • specific use ==> constraints redundant components! e.g., valves always set to the same direction
Time-Invariant ConstraintsObservation 1 (Example 1 + 2) • Many Unnecessary State Variables (macros) • Establish Interface in := min(out, c) • Specific Use of Generic Parts valve-direction := some constant (after inlining the module)
Time-Invariant ConstraintsExample 3 • Indirection (based on the specification) transition relation next(bus.state) := complex expression f invariant constraints device1.output1 := switch (bus.state) … device1.output2 := switch (bus.state) …
Time-Invariant ConstraintsExample 4 • Consistent Non-Deterministic Choices invariant constraint cmd := expression f with non-determinism (due to incomplete specification or abstraction) transition relations next(device1.output1) := switch (cmd) … next(device1.output2) := switch (cmd) …
Time-Invariant ConstraintsObservation 2 (Example 3 + 4) • Variables w/ Constraints Used in Current State Only • Indirection device1.output1 := switch (bus.state) … device1.output2 := switch (bus.state) … • Consistent Non-Deterministic Choices cmd := expression f with non-determinism (due to incomplete specification or abstraction) • ==> • Corresponding Next-State BDD Variables NOT Used early quantification in pre-image computation • pre-image quantifies out next-state variables
Time-Invariant ConstraintsExample 5 • Conditional Assignments (tank == non-empty) => (out-pressure.sign := positive) & (out-pressure.relative := nominal) • Note • occurs for interface and indirection • mostly simple (as above), but sometimes quite complicated • p1 => ((p2 => (a := …)) & (p3 => (b := …)) • most complicated expression has > 10,000 characters
Time-Invariant ConstraintsObservation 3 (Example 5) • Combining Time-Invariant ==> Macros p1 => (a := …) p2 => (a := …) p3 => (a := …) … • ==> a := some deterministic expression complex expressions ==> syntactic analysis is insufficient
Optimizations for Constraint-Rich Models • Time-Invariant Constraints • arise from modeling • may have lots of redundant state bits • Our Solutions • remove redundant state variables • identify macros: assignment-extraction algorithm • select macros: BDD characteristics • partition (conjunctive partitioning) remaining constraints • apply an improved version of [Ranjan et al. ’95] algorithm
Related Work [Berthet, et al. ’90] [Lin & Newton ’91] [Hu & Dill ’93] [Eijk & Jess ’96] [Sentovich, et al. ’96] Problems require constraints to be combined first removal is not always beneficial Given invariant constraintc and state variable v, Question c ? v == g • if so, vis redundant • replacevwithg Redundant State-Variable RemovalProblem Statement
ci v Gi Redundant State-Variable RemovalOur Approach: Assignment Extraction Algorithm non-deterministic assignment If Gi = { gi }, we have v == gi
? c1 c2 cn v G1 v G2 v Gn v == g Redundant State-Variable RemovalPartitioned Constraints use graph sizes to determine the “goodness” of g
ci==> (vGi) ci |v=k==> (kGi) [substitute v with k] • Gi = U ( if ci|v=k then { k } else { } ) kKv Redundant State-Variable Removal Assignment Extraction Algorithm (Core Idea) • Target • To Construct a Solution for Gi for all k Kv whereKv is the set of possible values of v
Conjunctive Partitioning of Time-Invariant Constraints • image(S) = $V. T (S C) • = $ (V - W ). T [$W. (S C) ] where T does not depend on variables in W. • many variables used only in time-invariant constraint • Represent C as Conjunctive Partition • C1 C2 … Cm • monolithic BDD is too large to build
Optimizations for Constraint-Rich ModelsOverall Impact time (sec)
Performance Breakdown • BDD-Based Macro Optimization • Early-Quantification of W for $V. T [$W. (S C) ] without and with macro optimization
Effects of BDD-Based Macro(No Early Quantification) time (sec)
Effects of BDD-Based Macro: Causes % bdd vars removed
Performance Breakdown • BDD-Based Macro Optimization • Early-Quantification of W for $V. T [$W. (S C) ] without and with macro optimization
Effects of Early Quantification(No Macro Optimization) time (sec)
Effects of Early Quantification: Causes(No Macro Optimization) Maximum achievable = 50% % bdd vars extracted
Effects of Early Quantification (With Macro Optimization) time (sec)
Summary & Future Work • Optimizations for Constraint-Rich Models • Enabled verification for DS1’s fault diagnosis model • 159 specs within 1 min • Typical of effort required to deal with models generated automatically from modular description • BDD Algorithms for Compiler-Type Analysis • Assignment-Extraction Algorithm • cone-of-influence analysis: exact dependence information