1
Implicit and explicit exploration
of the reachable state space
of Esterel logical circuits
PhD Defense
Yannis BRES
Advisor: Gérard BERRY
December 12th, 2002
Outline
Introduction:
Context of this work, the reactive synchronous approach, Esterel,
automata and circuits, reachable state space computation, BDDs
I – Pure implicit approach:
A formal verifier offering variable inputization or abstraction
II – Enumerative approach:
A versatile engine for the exploration of reachable state spaces:
Automaton generation
Formal verification
Exhaustive test sequence generation
Conclusions and future prospects
2
The reactive synchronous approach
Reactive programs:
Execution split in reactions (instants), time is discrete
Environment analysis then reaction to this environment
Synchronous programs:
Theoretical simplification: reaction duration is 0, instantaneous broadcast
Broad application domain:
Real-time systems
Control/supervision of industrial processes
Embedded systems
Physical controlers
…
Based upon the semantic model of Finite State Machines (FSMs)
3
Esterel
A reactive synchronous imperative language with control-flow dominance
Modules/blocks run in parallel or sequentially
Modules/blocks can be preempted, suspended and resumed
Communication performed through instantaneously broadcast signals
Formal semantics
module Synchronize :
input A, B;
output O;
[ await A || await B ] ;
emit O
end module
4
Explicit automata
Central design representation in Esterel v1, v2, v3: automata
Automata can be exponentials both:
 in construction time
 in storage space
module Synchronize :
input A, B;
output O;
[ await A || await B ] ;
emit O
end module
5
Circuits
6
Central design representation since Esterel v4: logical circuits
Generation time and storage space are linear with respect to source code size
Automata vs. Circuits
Let's add a C signal in the previous program…
7
Automata vs. Circuits
Let's add a C signal in the previous program…
8
Formal verification by observers
module Synchronize :
input A, B;
output O;
||
[ await A || await B ] ;
emit O
abort
await O ;
emit BUG
when A
end module
Observers run in parallel with the program to be verified
Answer formally to the question: "can BUG ever be emitted?"
Safety properties:
"something wrong never occurs"
Safety properties:
"something good will occur sooner or later"
9
Reachable state space computation
Cornerstone of numerous applications:
automaton
generation
formal
verification
reachable state
space computation
equivalence
checking
(RSS)
generation of
exhaustive
test sequences
10
Reachable state space computation
"Onion" representation, by depth level:
Initial state
States reachable in 1 tick
States reachable in 2 ticks
States reachable in 3 ticks
…
Several approaches to RSS computation:
approach
state analysis
pure implicit
enumerative
BDDs
implicit
explicit
transition
analysis
explicit
11
12
Binary Decision Diagrams (BDDs)
Variable ordering is constant within the whole tree (here: x1 < y1 < x2 < y2)
Variable node (x1, x2, y1, y2)
"When false" path
Terminal node (0 or 1 constants)
"When true" path
x1
(x1  y1)  (x2  y2)
y1
y1
x2
x2
y2
1
y2
0
0
x2
y2
1
0
y2
0
0
x2
y2
0
0
y2
0
0
y2
0
1
y2
0
0
1
13
Binary Decision Diagrams (BDDs)
Several simplification rules:
1) Useless tests are removed
x1
(x1  y1)  (x2  y2)
y1
y1
x2
y2
1
y2
0
x02
x2
0
y2
1
0
y2
0
0
x2
y2
0
0
y2
0
0
y2
0
1
y2
0
0
1
14
Binary Decision Diagrams (BDDs)
Several simplification rules:
1) Useless tests are removed
2) Isomorph nodes/trees are shared
x1
(x1  y1)  (x2  y2)
y1
0
x2
y2
1
y1
0
x2
y2
0
0
y2
1
1
y2
0
0
1
15
Binary Decision Diagrams (BDDs)
Several simplification rules:
1) Useless tests are removed
2) Isomorph nodes/trees are shared
3) Edges are tagged in order to share opposite nodes (not shown here)
x1
(x1  y1)  (x2  y2)
y1
y1
x2
x2
y2
1
y2
0
0
x2
y2
1
0
y2
0
0
x2
y2
0
0
y2
0
0
y2
0
1
y2
0
0
1
Binary Decision Diagrams (BDDs)
In most cases:
A very compact representation of boolean functions
Very efficient algorithms for boolean function manipulations
Uses:
Representation of functions associated to circuit gates
Representation of sets through their caracteristic function
Worst-case complexities in both time and space:
=, , 
, substitutions
constant
quadratic
exponential
16
Reachable state space computation using BDDs
Exponentially complex wrt the number of involved variables:
1 BBD variable per input
Intermediate variable: must be , doesn't appear in results
1 BDD variable per state variables (register/latch)
Persistent variable: must be , appears in results
 Goal: reducing the number of state variables!
17
Outline
Introduction:
Context of this work, the reactive synchronous approach, Esterel,
automata and circuits, reachable state space computation, BDDs
I – Pure implicit approach:
A formal verifier offering variable inputization or abstraction
II – Enumerative approach:
A versatile engine for the exploration of reachable state spaces:
Automaton generation
Formal verification
Exhaustive test sequence generation
Conclusions and future prospects
18
Reducing the number of variables
A usual technique for state variable number reduction:
Turn state variables into free inputs (inputization)
Less variables to substitute
As many variables to 
+
=
Our approach: abstract variables using a ternary-valued logic (0,1,d)
Variables to be abstracted are replaced by the constant d (indifferent)
Less variables to substitute
Less variables to 
Abstracted variables are pre-quantified
+
+
Ternary-valued logic (0,1,d) :

0 1
1 0
d d

0
1
d
0
0
0
0
1
0
1
d
d
0
d
d

0
1
d
0
0
1
d
1
1
1
1
d
d
1
d
v
0
1
d
v0
1
0
0
v1
0
1
0
19
Inputization and abstraction: example
input
output
A, B;
O;
[ await A || await B ] ;
emit O
inputization
abstraction
20
Over-approximation
Both inputization and abstraction weakens contraints between variables
 Conservative over-approximation with respect to the RSS
 Formal verif.: no erroneous validation, only erroneous refutations
 "Snowball effect"
Inputization maintains correlation between variable instances
r  r  i  i = 0
r  r  i  i = 1
Abstraction loses correlation between variable instances
+
-
r  r  d  d = d
r  r  d  d = d
21
Over-approximation
Both inputization and abstraction weakens contraints between variables
 Conservative over-approximation with respect to the RSS
 Formal verif.: no erroneous validation, only erroneous refutations
 "Snowball effect"
Inputization maintains correlation between variable instances
r  r  i  i = 0
r  r  i  i = 1
Abstraction lose correlation between variable instances
+
- r  r  d  d = d r  r  d  d = d
source of over-approximation within the RSS computation
- Additional
when using a ternary-valued logic: set widening
+ In practice, when over-approximation races out of control, erroneous
refutations arise very quickly and computations stop
22
The Esterel selection tree
[
await I1 ; 1
do something ;
await I2 ; 2
do something
||
await I3 ; 3
do something
#

#
] ;
await I4 ; 4
do something
Allows to reduce over-approximation in two ways:
RSS ceiling
Reinforcement of relations between inputs for inputized variables
23
Our formal verifier: evcl
Esterel Verification Command Line
Main functionalities:
Variable inputization and abstraction
Over-approximation reduction using structural informations
White-box (integrated observers) / Black-box (external observers)
…
> 30 000 lines of C++ (and > 21 000 lines of shared libraries)
Experimentations:
(Mirage 2000-9 fuel management system, A380 warning system)
Abstraction can be up to 26 times faster than inputization
When over-approximation races out of control, computations stop quickly
 Nothing to lose in trying it!
24
Outline
Introduction:
Context of this work, the reactive synchronous approach, Esterel,
automata and circuits, reachable state space computation, BDDs
I – Pure implicit approach:
A formal verifier offering variable inputization or abstraction
II – Enumerative approach:
A versatile engine for the exploration of reachable state spaces:
Automaton generation
Formal verification
Exhaustive test sequence generation
Conclusions and future prospects
25
Reachable state space computation
"Onion" representation, by depth level:
Initial state
States reachable in 1 tick
States reachable in 2 ticks
States reachable in 3 ticks
…
Several approaches to RSS computation:
approach
state analysis
pure implicit
enumérative
BDDs
implicit
explicit
transition
analysis
explicit
26
Enumerative RSS computation
A versatile engine for the exploration of reachable state spaces:
Automaton generation
Formal verification
Exhaustive test sequence generation
States are individually analysed by propagating information within the circuit
Pure explicit approach:
Transitions analysed through recursive branchings on inputs
Hybrid implicit/explicit approach:
Transitions analysed through BDD propagations
Transparent support for (constructive) cyclic circuits
Several heuristics aiming at avoiding time or space explosion
 Very good performances
> 18 000 lines of C++ (and > 21 000 lines of shared libraries)
27
Automaton generation
28
Central design representation in Esterel v1, v2, v3: automata
Risk of explosion in both time and space
Central design representation since Esterel v4: logical circuits
Basically linear wrt source code in both generation time and storage space
Automaton generation has been neglected since v4:
v4 generator had very bad performances
v4 generator could not handle cyclic circuits
…
Advantages of automata remain!
Usually a very efficient implementation
A maximum of the control flow is computed at compilation time
Only data-dependent expressions remain to be evaluated at run time
Automata explicit numerous informations concerning designs
Automaton generation
How to generate an automaton?
Enumerative approach practicaly unavoidable
(for the respect of action causality)
Pure explicit approach better than hybrid approach
(too much BDD cofactorisations are required)
Our automaton generator, scoc:
By far more efficient than the v4 generator
Integrated into the Esterel compiler since v5_91
From now on marketed by Esterel Technologies Inc.
29
Application to formal verification
Pure implicit approach unavoidable for most designs
Pure implicit approach drawbacks:
Behaviour difficult to foresee, risks of explosion
Can only be applied to acyclic circuits
Very sensitive to redundant registers
Enumerative approach pros:
Behaviour usually very steady
Transparent support for cyclic circuits
Non-sensitive to redundant registers or design depth
Usually a lot much slower, can only be used in precise cases:
Deep designs (SAT 
)
Designs with numerous redundant registers (BDDs  )

30
Formal verification – experimentations
Purely linear testbench (depth: 243; states: 243)
SAT (Prover)
pure implicit
approach
pure explicit
approach
implicit / explicit
approach
no result after >3h
39mn
1.6s
1.8s
< 40 Mb
8.5 Mb
insignifiant memory consumption
Texas Instruments data bus (depth: 181; states: 652 948)
SAT (Prover)
pure implicit
approach
pure explicit
approach
implicit / explicit
approach
nothing after
several hours
17mn: 
(depth 9)
2h 33mn
3h 09mn
???
2 Gb
104 Mb
110 Mb
31
Generation of exhaustive test sequences
Finite State Machine semantic model:
 Generation of exhaustive tests sequences is feasible
Different coverage goals:
State coverage
Coverage of pathes leading to specific signals emission
Transition coverage
…
32
Generation of exhaustive test sequences
Esterel Technologies approach: pure implicit
Standard RSS computation (except for transition coverage)
Transitions are built by reverse image computations
Coverage data updates  BDD updates
Complete transition coverage not implemented
Only connected state pairs are connected
Number of state variables is doubled
Enumerative approach is more suited and not sensitive to coverage goal
33
34
State coverage – Experimentations
design
NDA
Arbiter12
NDA
Wristwatch
NDA
ATDS-100-C2
Renault
Testbench
TCINT
NDA
NDA
states
10
13
21
41
65
81
161
243
310
535
875
implicit approach
implicit / explicit
approach
# sequ.
time
4
0.10
cyclic
8
0.09
16
1.39
63
0.74
35
3.58
99
13.57
killed after >>1h
140
33.36
307
35.57
462
16.57
# sequ.
4
1
8
16
63
37
105
1
140
308
489
time
0.03
0.03
0.03
0.09
0.07
0.10
0.35
3.16
0.39
0.47
0.43
ratio
 3.5
 3.5
 16
 11
 36
 39
 86
 76
 39
Conclusions
A formal verification tool based on pure implicit approach:
Variables can be replaced by free inputs
Variables can be abstracted using a ternary-valued logic
Over-approximation reduction using structural information
White/Black box verification
…
An engine for the exploration of reachable state spaces:
Enumerative analysis of states
Explicit or implicit analysis of transitions
Versatile:
Automaton generation
Formal verification
Generation of exhaustive test sequences
35
Future prospects
Implicit approach:
Automate the selection of variables to inputize/abstract
Variable weighting heuristics of Quer/Cabodi et al. ?
In case of excessive over-approximation, refine abstraction
Counter-example analysis of Clarke/Grumberg et al.
Combine variable abstraction and RSS computation decomposition
Cho/Govidaraju et al. approaches
…
Enumerative approach:
Compact the known state table
Bitstate hashing of Holzmann, hash compaction of Stern/Dill et al.
State analysis prioritization (bug chasing)
Yang/Dill et al.
…
36