Efficient Reachability Analysis
for Verification of
Asynchronous Systems
Nishant Sinha
Outline
 Formal Verification: Motivation
 Reachability for Asynchronous Systems
• Partitioned Transition Relations
 Efficient Reachability Techniques
• MBFS and Saturation
 Saturation: Experimental Results
 Conclusions
2
Formal Verification: Introduction
 Use methods from formal logic
• Show validity of properties on systems
• Formal requirements hold on a design
• Software, circuits, protocol models
• Alternative to simulation, testing
• Not all behaviors covered
 Model checking
•
•
•
Verify concurrent systems
Introduced by Clarke et al. (1981)
An automated technique
3
Model Checking
 Finite state-transition model M, Property 
 Determine if M satisfies 
 Properties  like:
•
•
req is always followed by ack
No error state is reachable from the initial state
•
•
Generate reachable set of states
State space explosion
 Involves Reachability analysis
....
K
2K
4
Asynchronous Systems
 Concurrent Systems
•
Consist of several execution units
 Synchronous
•
All units take an execution step together
 Asynchronous
•
•
•
Units may execute independent of each other
Interleaved semantics of execution
E.g. Concurrent software, asynchronous circuits
 Goal: Efficient model checking of
asynchronous systems
Symbolic
Reduced
State-Space
5
Symbolic Model Checking
 Use Ordered Binary Decision Diagrams (BDDs)
•
Canonical, compact, operate on state sets
•
•
States encoded by boolean variables V
Transition relation also as BDD N(V,V’)
 Encode the system model M with BDDs
t3
t1
N(a,a’) =
s1
s0
(!a Æ a’)
 (a Æ !a’)
 (a Æ a’)
a < a’
t2
s0
s1
a
0
1
a
0
0
1
1
a
0
a’
a’
0
1
0
1
1
1
1
a’
1
1
6
Partial-Order Reduction

Alternative model checking approach
•


Sufficient to visit a subset of actual reachable state space
Focus of this talk
•
s0
a
Useful if order of execution of transitions is
irrelevant
Full state space reachability using BDDs
a
b
b
s1
s1s0’
s0’
s0s0’
s1 ’
a
b
Choose a representative
set of paths
s0s1’
s1s1’
7
Reachability Analysis
One-step reachability:

•
•
Given a set of states S
Find which states S’ can be reached in one step
Iteratively apply one-step reachability

•
Until no new states are visited
Breadth-first exploration of graph

R0
R2 = R3
R1
b
b
c
a
a
e
g
c
a
e
f
d
b
c
e
f
d
g
f
d
g
8
The Bigger Picture
I1
I2
Combinational
Circuit
Combinational
Circuit
Delay
Delay
o1
o2
o1 = 0
o2 = 0
o1 = 1
o2 = 0
o1 = 1
o2 = 1
o1 = 0
o2 = 1
?
9
Symbolic Reachability : Image Computation
 Image of a set of states S
•
•
Transition relation N: one-step reachability
Basic operation, hence must be efficient
 Symbolic image computation: S(V), N(V,V’) BDDs
• Img(S,N) = [ 9v2 V (S(V) Æ N(V,V’) )]
 Reachability (starting from initial S0):
• Reach(S,N) = S [ Img(S,N)
• Fixpoint: S. Reach(S,N)
 Efficiency problem: Large N(V,V’)
• Large intermediate BDD sizes in image computation
10
80
35000
70
30000
60
25000
50
20000
40
15000
30
10000
20
5000
10
270
261
252
243
234
225
216
207
198
189
180
171
162
153
144
135
126
117
99
108
90
81
72
63
54
45
36
27
9
18
0
0
0
#States
#BddNodes
40000
Millions
Illustration: Intermediate BDD Sizes
BDD Nodes
States
Dining
Philosophers
model
Iterations
11
Partitioned Transition Relations
 Introduced by Burch et al. (BCL91)
  : Conjunction (Æ) or Disjunction ()
• N(V,V’) = N1  N2   Nk
• Typically, each Ni much smaller than N
 Asynchronous systems with interleaving
semantics:
• N(V,V’) = N1  N2   Nk
• Ni: only the ith unit executes
• Img(S, N) = Vi Img(S,Ni)
N1
N2
N3
[BCL91] J.R. Burch, E.M. Clarke, and D.E. Long. Symbolic model checking with partitioned
transition relations. In A. Halaas and P.B. Denyer, editors, International Conference on Very Large
Scale Integration, pages 49-58, Edinburgh, Scotland, 1991. North-Holland.
12
BDD blowup
 Must consider different intermediate
combinations of reachable states of
concurrent units
•
•
Even if they are independent
Adds to intermediate BDD sizes
 Idea: Explore each unit separately to avoid
such correlation [BCL91]
•
Modified Breadth-First Search (MBFS)
[BCL91] J.R. Burch, E.M. Clarke, and D.E. Long. Symbolic model checking with partitioned
transition relations. In A. Halaas and P.B. Denyer, editors, International Conference on Very Large
Scale Integration, pages 49-58, Edinburgh, Scotland, 1991. North-Holland.
13
Modified Breadth-First Search (MBFS)
 Given a disjunctive partition: N1,...,Nk
•
•
Compute local fixpoints: S. Reach(S,Ni)
Stop when: 8 i. Reach(S,Ni) = S
 Lower intermediate BDD sizes
 Chaotic fixpoint iteration strategy
•
•
•
N1*
N2*
N3*
Family of functions: {Reach(S,Ni) j i · k}
Apply functions in arbitrary order till convergence
Must apply each function sufficiently often
 Observation: MBFS strategy may not be able
to avoid blowups in some cases
14
Illustration: BDD Blowup in MBFS
N2
s0
N1
N1
s2
(10)
N1, N2
N1, N2
0
v1
MBFS
N1
0
v2
MBFS
N2
0
(s0)
N3
1
v1
0
1
s = (v2, v1, ...)
N1, N2, N3, ...
s3
(01)
v2
...
(11)
(00)
v2
N3
s1
BDD
explosion
MBFS
1
1
(s0,s2)
1
(s0,s1,s2)
N1
1
(s0,s1,s2,s3)
15
Saturation: New approach



Assume fixed variable ordering on BDDs:
v1 < v2 ... < vk
Define
• High(Ni): “least” variable that Ni might change
• Low(Ni): “greatest” variable that Ni might change
Order transition relations by [High(Ni), Low(Ni)] :
• Nj Á Ni
•
Nj changes only “lower” BDD variables than Ni
v2
N2
0
1
v1
1
1
N1
N1 Á N2
16
Saturation (Contd.)
 Saturate (Ni)
do
Compute S. Reach(S,Ni) /* states reachable by only Ni */
8 Nj Á Ni. Saturate (Nj) /*explore all Nj Á Ni */
Until S does not change
• Visits all possible reachable states using “lower”
transition relations than Ni
N3*
 Overall Strategy: K partitions
•
For i= 1 to K. Saturate(Ni)
N2*
N1*
17
Saturation: Discussion
 Advantages
•
•
•
Exploits independence of concurrent units
Lower intermediate BDD sizes than MBFS
Faster reachability computation in many cases
 Drawbacks
•
•
May lead to spurious iterations
Relies heavily on good variable ordering
18
Experimental Results
 Implemented Saturation approach in NuSMV
model checker
•
Handles designs of industrial strength
Vanilla-NuSMV
NuSMV+Saturation
#BDD nodes
time
#BDD nodes
time
Dph(5)
13982
2.37
476
0.51
Dph(100)
OOR
OOR
1208761
1550.8
Dm e
869516 5329.15
16658
55.86
Kanban(20)
1099118 12339.77
28244
7.71
OOR: out of resources
Comparison with NuSMV with default options
19
Experimental Results (contd.)
 Implemented MBFS approach in NuSMV
States
9.03E+05
Kanban(20) 8.05E+11
Kanban(40) 9.94E+14
FMS(20)
6.03E+12
FMS(40)
2.64E+16
Dph(10)
NuSMV+MBFS
NuSMV+Saturation
#BDD nodes time #BDD nodes time
23660
6.33
18844
27.86
77639
25.94
28187
7.56
639334 756.95
199341
94.97
64262
38.27
63432
25.67
512273 406.86
512273 222.58
Comparison with MBFS
20
Experimental Results (contd.)
90
60
50
40
(Thousands)
70
Saturation
#BDD Nodes
80
MBFS
30
20
10
0
Iterations
Kanban(20): Comparison of Intermediate BDD sizes
21
Conclusions
 Efficient methods to compute reachable states of
asynchronous systems
•
•
•
Based on disjunctive partitions
MBFS
Alternative approach: Saturation
 Experimentally validated on several examples
 Future research
•
•
Heuristics for obtaining good BDD variable ordering
automatically
Combining Saturation with Partial Order Reduction
22
Questions
?
23