Syntax-driven partitioning for
model-checking of Esterel
programs
Eric Vecchié - INRIA Aoste
Motivation
• Build the Reachable State Space…
• …following the syntax
abort P when S;
Q
• Reachable State Space allows
–
–
–
–
Model-checking
Code optimization
Test sequence generation
…
Reachable State Space
• Breadth First Search algorithm
R ← INIT
new ← R
while ( new ≠ ø ) do
new ← Image(new) \ R
R ← R U new
end while
• Symbolic methods (BDDs)
What is done
Size of Computations
BDD
size
non-saturated
states set
states reached
Solution : Rely on program structural syntax
What we do
Example : Wristwatch
stopwatch
watch
display
alarm_set
time_set
Example : Wristwatch
Example : Wristwatch
How to partition ?
• According to program blocks
– Separated by frontiers
– Synthesized from signal receptions
• Build a control flow graph
– Encoding frontiers
– Guiding the RSS computation
Preemption / if-then-else
S
P
S
P1
P2
Q
Q
Partitioning Example
P
abort
P
when S;
present T then
Q2
Q1
Q1
else
Q2
end;
R
R
Parallel Constructs
• Avoid cartesian product
– {P1, P2}  {Q1, Q2}
• Use signal information
||
P1
Q1
P2
Q2
Parallel and signals
||
P1
S1
Q1
R1
Q2
S2
P2
Q3
R2
Parallel and signals
• Only increasing
 Avoid the cross product
• Can be not satisfying on loops
– …but on rare cases
Loops
P
Q
Control Flow Graph
construction
abort
loop pause end
|| pause ; pause
when S
;
present T then
pause || pause
else
pause
end
Symbolic methods
Binary Decision Diagrams (BDDs) allow
to represent :
• Boolean functions
• Sets (in a finite universe)
• Partitioned Transition Relations
Cofactoring
• Cofactoring is used 2 ways
Given a domain D, reduce the BDD of a function f :
– Reduce the domain according to our frontiers
f↑D(x) = f(x) if x belongs to D
– Transition function applied on new states
Experiments
•
A medium-sized design : sequencer
•
A big design : cabin
BDD sizes in “sequencer”
A big design : “cabin”
Default method
Partitioning
534 states
135 441 875 states
3 steps (11.85s)
123 steps (35h40)
Conclusion
Program verification following program syntax
• Preemptions, if-then-else
• Signals in parallels
Smaller intermediate BDDs
• Lighter transition functions
• Lighter image computations
 Less memory required
The End
Motivation
• Model-checking
• Code optimization
• Test sequence generation
• …
Reachable State Space (RSS)
• Breadth First Search algorithm
R ← INIT
new ← R
while ( new ≠ ø ) do
new ← Image(new) \ R
R ← R U new
end while
• Symbolic methods (BDDs)
Reachable State Space (RSS)
Introduction
• Esterel
• Synchronous reactive structural
programming
– sequence, if-then-else
– Parallelism, preemption
• Circuit translation (model-checking level)
Partitioning - detail