Binary Decision Diagrams and Symbolic Model Checking Randy Bryant Ed Clarke Ken McMillan Allen Emerson CMU CMU Cadence U Texas http://www.cs.cmu.edu/~bryant.
Download ReportTranscript Binary Decision Diagrams and Symbolic Model Checking Randy Bryant Ed Clarke Ken McMillan Allen Emerson CMU CMU Cadence U Texas http://www.cs.cmu.edu/~bryant.
Binary Decision Diagrams and Symbolic Model Checking
Randy Bryant Ed Clarke Ken McMillan Allen Emerson CMU CMU Cadence U Texas http://www.cs.cmu.edu/~bryant
Binary Decision Diagrams
Restricted Form of Branching Program
Graph representation of Boolean function
Canonical form
Simple algorithms to construct & manipulate Application Niche
Problems expressed as Quantified Boolean Formulas
A lot of interesting problems are in PSPACE Symbolic Model Checking
Prove properties about large-scale, finite-state system
Successfully used to verify hardware systems
– 2 –
– 3 –
Boolean Function as Language
Truth Table
x
1
x
2
x
3 0 0 0 0 1 1 1 1 0 0 1 1 0 0 1 1 0 1 0 1 0 1 0 1
f
0 0 0 1 0 1 0 1 Language { 011, 101, 111 } DFA 0 1 1 0,1 1
View
n
-variable Boolean function as language
{0,1}
n
Reduced DFA is canonical representation
From DFA to OBDD
0
x
2 1
x
1 1
x
2
x
3 0,1 1 0 Canonical representation of Boolean function
Two functions equivalent if and only if graphs isomorphic
Desirable property:
simplest form is canonical
.
– 4 –
Representing Circuit Functions
Functions
All outputs of 4-bit adder
Functions of data inputs
S
3
Cout a
3
a
3
S
2
b
3
b
3
b
3
b
3
A B
A D D
Cout S S
1
a
2
b
2
b
2
a
1
a
2
b
2
b
2
a
1
a
2
b
2
b
2
a
1
Shared Representation
– 5 –
Graph with multiple roots
31 nodes for 4-bit adder
571 nodes for 64-bit adder
Linear growth
S
0
b
1
b
1
a
0
b
0
b
1
b
1
a
0
b
0
b
1
b
1
a
0 0 1
– 6 –
Effect of Variable Ordering
(
a
1
b
1 ) (
a
2
b
2 ) (
a
3
b
3 )
Good Ordering Bad Ordering
a
1
a
1
b
1
a
3
a
2
b
2
a
3
a
2
a
2
a
3
b
2
b
2
a
3
a
3
b
1
b
1
b
1
b
1
b
3
b
3 0 1
Linear Growth
0 1
Exponential Growth
Sample Function Classes
Function Class
ALU (Add/Sub) Symmetric Multiplication
Best
linear linear exponential
Worst
exponential quadratic exponential
Ordering Sensitivity
High None Low
General Experience
Many tasks have reasonable OBDD representations
Algorithms remain practical for up to 500,000 node OBDDs
Heuristic ordering methods generally satisfactory
– 7 –
Symbolic Manipulation with OBDDs
Strategy
Represent data as set of OBDDs
Identical variable orderings
Express solution method as sequence of symbolic operations
Sequence of constructor & query operations Similar style to on-line algorithm
Implement each operation by OBDD manipulation
Do all the work in the constructor operations
Key Algorithmic Properties
Arguments are OBDDs with identical variable orderings
Result is OBDD with same ordering
Each step polynomial complexity
– 8 –
If-Then-Else Operation
Concept
Basic technique for building OBDD from logic network or formula.
X I T E I
T, E
1 M UX 0 Arguments
I
,
T
,
E
Functions over variables
X
Represented as OBDDs Result
OBDD representing composite function
(
I
T
) (
I
E
) – 9 –
If-Then-Else Execution Example
Argument
I
A 1
a
Argument
T
1
Argument
E a
B 1
Recursive Calls
A 1 ,B 1 A 2
b
A 2 ,B 2
c
A 6
c
B 5 A 6 ,B 2 A 6 ,B 5 A 3
d
B 2
d
A 3 ,B 2 A 5 ,B 2 A 3 ,B 4 A 4 0 1 A 5 B 3 0 1 B 4 A 4 ,B 3 A 5 ,B 4
Optimizations
Dynamic programming
Early termination rules
– 10 –
If-Then-Else Result Generation
Recursive Calls
A 1 ,B 1 A 3 A 2 ,B 2 ,B 2 A 6 ,B 2 A 6 ,B 5 A 5 ,B 2 A 3 ,B 4 A 4 ,B 3 A 5 ,B 4 0
Without Reduction
a b c c d
1 1 1
With Reduction
a
C 6 C 5
b
C 4
c
C 3
d
C 1 0 1 C 2
Recursive calling structure implicitly defines unreduced BDD
Apply reduction rules bottom-up as return from recursive calls
– 11 –
Restriction Operation
Concept
Effect of setting function argument
x i
Also called Cofactor operation (UCB) to constant
k
(0 or 1).
Fx Fx
equivalent to
F
[
x
= 1] equivalent to
F
[
x
= 0]
k x
1
x i
–1
x i
+1
x n F F
[
x i
=
k
] – 12 –
Restriction Execution Example
Argument
F a b c d
0 1
Restriction
F
[
b
=1]
a
Reduced Result
d
0
c
1
d
0
c
1 – 13 –
Derived Algebraic Operations
Other operations can be expressed in terms of If-Then-Else
X
And(
F
,
G
)
F G X
If-Then-Else(
F
,
G
, 0)
F
G, 0 F G
0 1 0 M UX
X
Or(
F
,
G
)
F G X
If-Then-Else(
F
, 1,
G
)
F
1
, G F G
1 1 0 M UX
– 14 –
Generating OBDD from Network
Task: Represent output functions of gate network as OBDDs.
A B C
Network
T1 T2 Out A B
Evaluation
new_var ("a"); new_var ("b"); C T1 T2 Out new_var ("c"); And (A, 0, B); And (B, C); Or (T1, T2); 0
A Resulting Graphs B C
a
1 0
b
1 0
c
1
T1
0
a b
1
T2
0
b c
1
Out
b
0
a b c
1 – 15 –
Functional Composition
– 16 –
x
1
x n G x
1
x i
–1
x i
+1
x n F F
[
x i
=
G
]
x
1
x i
–1 1
x i
+1
x n x
1
x i
–1 0
x i
+1
x n F F x
1
x n G
1 MUX 0
Create new function by composing functions F and G.
Useful for composing hierarchical modules.
Variable Quantification
– 17 – $
x
1
x i
–1
x i
+1
x n F
$ x
i F x
1
1
x i
–1
x i
+1
x n x
1
0
x i
–1
x i
+1
x n F F
Eliminate dependency on some argument through quantification
Combine with AND for universal quantification.
Finite State System Analysis
Systems Represented as Finite State Machines
Sequential circuits
Communication protocols
Synchronization programs Analysis Tasks
State reachability
State machine comparison
Temporal logic model checking Traditional Methods Impractical for Large Machines
Polynomial in number of states
Number of states exponential in number of state variables.
Example: single 32-bit register has 4,294,967,296 states!
– 18 –
Temporal Logic Model Checking
Verify Reactive Systems
Construct state machine representation of reactive system
Nondeterminism expresses range of possible behaviors “Product” of component state machines
Express desired behavior as formula in temporal logic
Determine whether or not property holds
Traffic Light Controller Design “It is
never
to have a green light for both N-S and E-W.
” possible Model Checker
True False + Counterexample
– 19 –
Characteristic Functions
Concept
A
{0,1}
n
Set of bit vectors of length
n
Represent set
A
as Boolean function
A
X
A
of
n
variables
if and only if A(
X
) = 1
Set Operations Union
A A 0 / 1 A
Intersection
B B – 20 –
Symbolic FSM Representation
Nondeterministic FSM 00 01 Symbolic Representation
n
1
n
2
o
2
o
1
o
2
o
1 ,
o
2 encoded old state
n
1 ,
n
2 encoded new state
10 11
0 1
Represent set of transitions as function
(
Old
,
New
) Yields 1 if can have transition from state
Old
to state
New
– 21 –
Represent as Boolean function
Over variables encoding states
Reachability Analysis
Task
Compute set of states reachable from initial state
Q 0
Represent as Boolean function
R(
S
)
Never enumerate states explicitly Given Compute
old state new state 0/1 state R 0/1
Initial
R 0 = Q 0 – 22 –
Breadth-First Reachability Analysis
00 01
R
0
R
1
01
R
2
R
3
10 11
– 23 –
R i
– set of states that can be reached in
i
Reach fixed point when
R n = R n
+1 Guaranteed since finite state
transitions
– 24 –
Iterative Computation
$ old new R
i
R
i
R
i
+1
R i
+1
– set of states that can be reached
Either in
R i
i
+1
transitions
or single transition away from some element of
R i
Symbolic FSM Analysis Example
K. McMillan, E. Clarke (CMU) J. Schwalbe (Encore Computer) Encore Gigamax Cache System
Distributed memory multiprocessor
Cache system to improve access time
Complex hardware and synchronization protocol.
Verification
Create “simplified” finite state model of system (10 9 states!)
Verify properties about set of reachable states Bug Detected
Sequence of 13 bus events leading to deadlock With random simulations, would require
2 years to generate failing case.
In real system, would yield MTBF < 1 day.
– 25 –
System Modeling Example
Global Bus Gigamax Memory System Interface Cluster #2 Abstraction Cluster #3 Abstraction Interface Cluster #1 Bus Mem.
Cache Control.
Proc.
Cache Control.
Proc.
Simplifying Abstractions
Single word cache
Single bit/word
Abstract other clusters
Imprecise timing Arbitrary reads & writes
– 26 –
Commercial Applications of Symbolic Model Checking
Several Commercial Tools
Difficult training and customer support Most Large Companies Have In-House Versions
IBM, Lucent, Intel, Motorola, SGI, Fujitsu, Siemens, … Many based on McMillan’s SMV program Requires Sophistication
Beyond that of mainstream designers
– 27 –
Application Challenge
Challenging Systems to Design System Size Model checking Capacity Degree of Concurrency Cannot Apply Directly to Full Scale Design
Verify smaller subsystems
Verify abstracted versions of full system
Must understand system & tool to do effectively – 28 –
Real World Issues
Still Too Volatile
Fail by running out of space
Useless once exceed physical memory capacity Ongoing Research to Improve Memory Performance
Dynamic variable ordering
Exploiting modularity of system model
Partitioned transition relations
Exploiting parallelism
Map onto multiple machines Difficult program for parallel computation » Dynamic, irregular data structures – 29 –
Dynamic Variable Reordering
Richard Rudell, Synopsys Periodically Attempt to Improve Ordering for All BDDs
Part of garbage collection
Move each variable through ordering to find its best location Has Proved Very Successful
Time consuming but effective
Especially for sequential circuit analysis
– 30 –
Dynamic Reordering By Sifting
Choose candidate variable
Try all positions in variable ordering
Repeatedly swap with adjacent variable
Move to best position found Best Choices
a
1
a
2
a
2
a
3
a
3
a
3
a
3
b
2
b
2
b
2
b
2
b
1
b
1
b
3 0 1
a
1
a
2
a
2
a
3
a
3
a
3
a
3
b
2
b
2
b
2
b
2
b
3
b
3
b
1 0 1 • • •
a
1
a
2
a
2
b
1
b
1
a
3
a
3
b
2
b
2
b
3 0 1
a
1
b
1
a
2
a
3
a
3
b
2
b
2
b
3 0 1
b
1
a
1
a
2
a
3
a
3
b
2
b
2
b
3 0 1 – 31 –
Swapping Adjacent Variables
Localized Effect
Add / delete / alter only nodes labeled by swapping variables
Do not change any incoming pointers
e b
2
f b
2
g b
1
h b
1
i b
1
j b
1
e b
2
f b
2
g b
2
h b
2
b
1
i j b
1 – 32 –
Tuning of BDD Packages
Cooperative Effort
Bwolen Yang, in cooperation with researchers from Colorado, Synopsys, CMU, and T.U. Eindhoven
Measure & improve performance of BDDs for symbolic model checking Methodology
Generated set of benchmark traces
Run 6 different packages on same machine
Compare results and share findings
Cooperative competition – 33 –
Effect of Optimizations
Compare pre- vs. post-optimized results for 96 runs
6 different BDD packages
16 benchmark traces each
Limit each run to maximum of 8 CPU hours and 900 MB
Measure speedup = T old
/ T new or: New: Failed before but now succeeds
Fail: Fail both times
Bad: Succeeded before, but now fails
– 34 –
Optimization Results Summary
80 70 60 50 40 30 20 10 0 Cumulative Speedup Histogram 75 76 76 6 22 33 61 13 6 1 speedups – 35 –
What’s Good about OBDDs
Powerful Operations
Creating, manipulating, testing
Each step polynomial complexity
Graceful degradation
Generally Stay Small Enough
Especially for digital circuit applications
Given good choice of variable ordering Weak Competition
No other method comes close in overall strength
Especially with quantification operations
– 36 –
Thoughts on Algorithms Research
Need to be Willing to Attack Intractable Problems
Many real-world problems NP-hard
No approximations for verification Who Works on These?
Mostly people in application domain
Most work on BDDs in computer-aided design conferences
Not by people with greatest talent in algorithms
No papers in STOC/FOCS/SODA Probably many ways they could improve things
Fundamental dilemma
Can only make weak formal statements about efficiency Utility demonstrated empirically – 37 –