1 / 24

SYMBOLIC MODEL CHECKING : 10 20 STATES AND BEYOND

SYMBOLIC MODEL CHECKING : 10 20 STATES AND BEYOND. J.R. Burch E.M . Clarke K.L . McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam. OUTLINE. Motivation Definitions Symbolic Model Checking Contribution Mu-Calculus Encoding Binary Decision Diagram Representation

rue
Télécharger la présentation

SYMBOLIC MODEL CHECKING : 10 20 STATES AND BEYOND

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SYMBOLIC MODEL CHECKING: 1020STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by RehanaBegam

  2. OUTLINE • Motivation • Definitions • Symbolic Model Checking • Contribution • Mu-Calculus Encoding • Binary Decision Diagram Representation • Model Checking Algorithm • CTL Model Checking • Empirical Results • Summary • Future Work

  3. MOTIVATION • Many different methods for automatically verifying finite state systems • LTL • CTL • All rely on algorithms that explicitly represent a state space, using a list or table that grows in proportion to the number of states • Number of states in the model grow exponentially with the number of concurrently executing components • The size of the state table is the limiting factor in applying these algorithms to realistic systems

  4. MOTIVATION • This “state explosion problem” can not be handled by the state enumeration methods • Explicit state enumeration methods are limited to systems with at most 108 reachable states • Can be eliminated by representing the state space symbolically instead of explicitly • This technique verifies models with more than 1020 states !

  5. DEFINITIONS • Relational variable • a predicate or a function • Abstraction operator • λ: used in lambda calculus • f(x1, x2) is written as λx1, x2[f] • Relational term • f is a formula and yi are individual variables • R is relational term and P is a relational variable with arity n • Fixed point of function f • An element x such that f(x) = x

  6. DEFINITIONS • Least fixed point is the least element that is a fixed point. y is lfp of f in S iff (f(y) = y) ∧ (∀x S . (f(x) = x) ⇒ (y ⊆ x)) • Greatest fixed point is the greatest element that is a fixed point. y is gfp of f in S iff (f(y) = y) ∧ (∀x S . (f(x) = x) ⇒ (x ⊆ y)) • Fixed point operators • μ and ν are the lfp and gfp operators used in mu-calculus • Monotone function • A function f is monotone iff for all P ⊆ S and Q ⊆ S, P ⊆ Q ⇒ f(P) ⊆ f(Q)

  7. DEFINITIONS • Variable Interpretation • Individual IP: for each individual variable y, IP(y) is a value in domain D • Relational IR: for each n-ary relational variable P, IR(P) is an n-ary relation in domain D • Substitution of Variables • The substitution of a variable w for a variable v in a formula f, denoted f(v ← w) f <v ← w> ⇒ ∃v [(v ⇔ w) ∧ f]

  8. SYMBOLIC MODEL CHECKING • In explicit state model checking, we represent the Kripke structure as a graph and implement the model checking algorithm as graph traversal. • 2 main steps: • Encode Model Domain: Describe sets of states as propositional logic formulae instead of enumeration: Mu-Calculus S = {1, 2, 3, 4, 5} = {x | 1 ≤ x ≤ 5} • Compact Representation: Represent those logical formulae/boolean functions using efficient means of manipulating boolean functions: Binary Decision Diagrams

  9. CONTRIBUTIONS • Provides a generalized symbolic model checking method by using a dialect of the Mu-Calculus as the primary specification language • Describes a model checking algorithm for Mu-Calculus formulas that uses BDD to represent relations and formulas • Shows how Mu-Calculus model checking algorithm can be used to derive efficient decision procedures for CTL, LTL model checking • Discusses how it can be used to verify a simple synchronous pipeline circuit

  10. MU-CALCULUS • Syntax: • In this formula, R can be a Relational variable or a Relational term of the following two forms: • Second one represents the least fixed point of R where R be formally monotone with P

  11. MU-CALCULUS • Example:

  12. MU-CALCULUS • Formal Definition: • given a finite signature • each symbol in is either an Individualvariable or a Relational variable with some positive arity. • recursively define two syntactic categories: formulas and relational terms. • Formula:

  13. MU-CALCULUS • Relational term: • ∀, ∧, ⇒, and ⇔ are treated as abbreviations in the usual manner • ¬R is an abbreviation for • R ∨ R’ is an abbreviation for

  14. MU-CALCULUS • Model M = (D, IR, ID), where D is the domain • Semantic function

  15. MU-CALCULUS

  16. BINARY DECISION DIAGRAM • Widely used in various tools for the design and analysis of digital circuits • Canonical form representation for Boolean formulas • Similar to binary decision tree • Allows many practical systems with extremely large state spaces to be verified-which are impossible to handle with explicit state enumeration methods

  17. BINARY DECISION DIAGRAM • DAG • Occurrence of variables is ordered from root to a leaf. • Example: • Formula: (a ∧ b) ∨ (c ∧ d) • Ordering: a < b < c < d • (a ←1, b ← 0, c ← 1, d ← 1) leads to a leaf node labeled 1

  18. MODEL CHECKING ALGORITHM • For the Mu-Calculus that uses BDDs as its internal representation • BDDATOM(f) returns BDD iff f = 1 • Last case substitutes xi by dummy di • FixedPoint() is the standard technique

  19. CTL MODEL CHECKING • CTL formula f is true of Kripke structure M= (A, S, L, N, SO) ⇔ Mu-Calculus formula f' is true of a structure M’ = (S, IR, ID) • If CTL formula f is an abbreviation for the Mu-Calculus relational term R, then f is true at state s iff R(s) is true • If f has no temporal operators, then it represents the relational term R

  20. CTL MODEL CHECKING • EX f =λS [ ∃t [ f(t) ∧ N(s, t) ] ] • EG f = f ∧ EX EG f = νQ [ f ∧ EX Q] = νQ [ λS [ f(s) ∧ ∃t [ Q(t) ∧ N(s, t) ] ] • E [ f ∪ g ] = g ∨ (f ∧ EX E[f ∪ g]) = μQ [g ∨ (f ∧ EX Q]] = μQ [λS [g(s) ∨ (f(s) ∧ ∃t [Q(t) ∧ N(s, t)]]

  21. EMPIRICAL RESULTS • Performs three-address logical and arithmetic operations on a register • 3 Pipeline stages: • Operand read from the register file • ALU (Arithmetic Logic Unit) operation • Write back to register

  22. EMPIRICAL RESULTS • Pipeline with 12 bits has approximately 1.5 x 1O29 reachable states • The number of nodes in BDD is asymptotically linear in the number of bits, not exponential • The verification time is polynomial in the number of bits

  23. SUMMARY • Suitable encoding of the model domain and compact representation for relations, the complexity of various graph-based verification algorithms is reduced • Regular structure of the data path logic captured by the BDD representation results in a linear space complexity in the number of circuit components rather than exponential

  24. FUTURE WORKS • Characterization of the models for which the BDD Mu-Calculus checker is efficient • Applicability of developed technique in common graph algorithms whose results can be expressed as relations, such as minimum spanning trees, graph isomorphism etc.

More Related