Efficient and Effective Symbolic Model Checking

1
Efficient and Effective Symbolic Model Checking

• Subramanian Iyer
• University of Texas at Austin

2
Objective of this work

• Improve the efficiency of symbolic model
  checking through effective use of partitioning
  techniques for state space decomposition, which
  are amenable to parallelization.

3
Outline

• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Bounded Model Checking

4
Sequential Verification

• Does Implementation fullfil its Specification?
• Model Checking
• State Based
• Given System under test
• Prove properties given in a temporal logic (eg
  CTL, LTL)
• Required for Model Checking
• Input Data Transition relation
• Generated Reachable states, Forbidden states
• Procedures Boolean Operations, Image Computation

5
Reachability Analysis
Algorithm
Simple property
2n
FromReachedS0 do To Img(TR,From) New To
\ Reached Reached Reached To From
New while(New ? Ø )

• C

• D

6
Model Checking

• Hinges on Reachability
• Basic Operation Pre-image
• In Simple terms
• Given bad formula f
• Compute reachable states
• Compute states satisfying f
• Pass if intersection is empty
• Key issues State set generation and
  representation
• Extensional, as originally proposed.
• Symbolic, as now practiced

7
Ordered Binary Decision Diagrams

• BDDs with
• read-once property
• fixed Variable order
• The restrictions guarantee
• Canonicity
• efficient Algorithms for Boolean Operations,
  Tautology, SAT and Equivalence check
• Disadvantage
• Blow-Up possible

• The minimizing problem
• better BDD Types (?)
• Transformations (?)
• Variable- Reordering
• Local Search Sifting

8
Symbolic Model Checking

• Using BDDs to represent sets of states
• Key operation is image computation
• Using transition relation
• Necessary to succinctly represent the transition
  relation
• What is the problem?

9
The Bottleneck in Verification

• State-based verification, model checking
• Can be fully automated in principle
• Why not in practice?
• State space representation
• Symbolically manifests as BDD blowup
• Limits extent of automation
• Limits size of designs that can be handled
• Capacity is restricted by representation size
• BDD based tools crash or thrash
• Lack of Memory restricts use of time
• So What can be done?

10
Outline

• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Bounded Model Checking

11
Partitioned Transition Relation

• Represented as conjunction of k parts TRi
• Easy to construct for synchronous circuits
• Conjunction of bitwise TRis the transition
  function of each state variable
• Set of variables partitioned into k disjoint
  subsets
• Transition functions for variables in each subset
  are conjuncted together to give TRi
• TR is the implicit conjunction of TRi for i in 1
  to k

12
Partitioned TR (Contd)

• Basis of reachable states computation
• Partitioned TR

TRj
Cluster of ROBDDs
Monolithic ROBDD
13
Image Computation

• The image computation step
• Partitioned TR useful due to early
  quantification (AndExist)
• Choice and order of TRjs is crucial for a good
  performance!

Img(TR,A) x( TR(x,y)? A(x))
Img(TR,A) xn( TRn? ...? x2( TR2? x1( TR1?
A)))...)
14
Partitioned TR - Observations

• What is it that is partitioned?
• The set of variables
• The relation
• Actual TR is an implicit conjunction
• Sets of states always ROBDD
• During image computation
• Before and After image computation

15
So What?

• Sets of states as ROBDDs
• Can get very large
• TR parts repeatedly conjuncted
• During each image
• Made easier combined with quantification
• Still repeated expense
• Solution Partition all state-sets

16
Partitioned ROBDD (POBDD)
Given the Boolean Function
Xf is its partitioned-ROBDD representation if,
where
and
are ROBDDs with variable ordering pi, and,
w2
w1
Each wi is called a window function
Note that the ROBDDs in each partition may have a
different variables ordering pi
w4
w3
17
A simple example

• f c (a1b1 a2b2) c (a1a2 b1b2 )
• w1 c
• w2 c
• f1 c (a1b1 a2b2)
• f2 c (a1a2 b1b2 )

f2
f1
c
c
?
?
?
?
a1
a1
a2
b1
b1
a2
b2
b2
1
1
0
0
?2 c, a1, a2, b1, b2
?1 c, a1, b1, a2, b2
18
Representation of State Space

• Same window sets
• Different partitions
• Respect diff variable orders
• Rooted at diff variables
• Corresponding partitions respect same variable
  order
• Canonicity
• Local Manipulability

19
On Using Partitioning

• Sets of states disjunctively partitioned
• Key Use same partitioning windows
• In particular, set of reachable states
• Induces disjunctive partitioning on TR
• TR is a Relation on state pairs Quadratic
• Notice each such TRij can further be
• Monolithic, Disjunctive, or Conjunctive
• Image computation
• Must consider to and from set in each partition

20
Reachability Revisited
Old Algorithm
FromReachedS0 do To Img(TR,From) New To
\ Reached Reached To From New while(New ?
Ø )
Notice that From is now partitioned TR applied to
Fromi of partition i, result Toi is also
partitioned So Toij is owned by partition j Must
be given to j. Quadratic such transfers!
21
Image and Reachability

• Fix point computations performed
• On each partition locally Using TRii
• Use reachability algorithm on ROBDDs
• Synchronization between partitions
• Cross-over images finds states use TRij , .
• Must keep it infrequent
• Postponed till local fixpoint reached

22
Reachability Example Initial set
23
Local Fix Point
24
Cross-over images
w2
T12
w1
R1
T14
T13
I3(x)
w3
w4
25
Another Local Fix point
26
More Cross over images
27
Example, cont.
28
Outline

• Background
• The Partitioning Approach
• Dynamic Partitioning
• Model Checking
• The naïve algorithm
• An improved algorithm
• Bounded Model Checking

29
Dynamic Partitioning

• When to partition?How many partitions to create?
• Decide on the fly!

30
Static Partitioning Inadequate

• A priori estimate of number of partitions
• Too few Each can get large
• Just one is ROBDD
• Too few can be as bad
• Too many Complex Image computation
• Creates sets owned by each partition
• Unowned states must be transferred
• Quadratic on number of partitions

31
k-POBDD Succinctness

• Comparing POBDDs with k and k-1 partitions BW97
  
• Any functions that can be succinctly represented
  by a (k-1)-POBDD can be represented by a k-POBDD
• There exist functions that are exponentially more
  succinct for a k-POBDD than for a (k-1)-POBDD
• Motivates Dynamically Partitioned BDDs

32
Dynamically Partitioned BDDs

• What is the goal?
• Automatically detect large partitions
• Split into multiple partitions as required
• Number of partitions determined by blowup
• Create windows as cubes of present state
  variables
• Windows must somehow ameliorate blowup.

33
Dynamic Partitioning Algorithm

• In any partition, if a BDD f gets larger than a
  threshold,
• Abort the current operation (usually image)
• Choose a splitting variable v to create 2
  partitions
• This v is a present state variable,
• Choice minimises the partitioning cost function
• Similar to cost function used for creating
  initial partitions
• Depends on the size and balance of the partitions
• Considers the partitioning basis
• One or both of the TR and the BDD for f
• If resulting BDDs still large, recursively split
  each partition
• Resume independently in each new partition.

34
Example, cont.
4
5
6

• More sophistication may be needed ?

35
Adaptive Dynamic Partitioning

• BDD based Computation unpredictable
• Can only take educated guesses.
• Trace centric try choices, select the best
• What if not working well?
• Rollback, but information can help in future.
• Learning based adaptive dynamic partitioning
• Blowup subsides too quickly, then what?
• Partitioned image computation

36
Experimental Results

• Partitioned implementation built on top of VIS
• CUDD package used
• Reuse advances in BDD techniques
• ROBDDs kept separate for each partition
• Do not share
• Optimize separately
• Benchmarks
• ISCAS89, VIS Verilog suite
• Fujitsu designs 2000 to 10,000 FF

37
Invariant Checking, Vs. VIS
38
Vs. Static partitioning
39
Industrial designs
A commercial tool partly based on VIS was used
here. Designs have 2,000 10,000 FlipFlops
40
Outline

• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Bounded Model Checking

41
Decompositional Model Checking

• Out of Memory?
• Decompose into independent pieces!
• Extend partitioning from reachability to Model
  Checking

42
CTL temporal properties

• EX(f), E(fUg), EG(f) form a basis set
• Invariant Checking AGp
• Absence of Deadlock
• Return to reset state AGEF(s0)
• Temporal Implication AG(p ? EF q)
• Liveness EGp, AFp

43
Outline

• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Experiments and Conclusion

44
Image Computation EXp

• forall (partitions j)
• forall (partitions k)
• PreImgjk(s) 9 s',iTRjk(s, s', i) Æ pk(s')
• reorder BDD PreImgjk from part order k to j
• end for
• Sj Çk PreImgjk
• end for
• output S

45
Least Fix Point E(pUq)

• S q , S.old NULL
• repeat
• S.old S
• temp computeEX(S)
• forall (partitions j)
• Sj qj Ç (pj Æ tempj)
• end for
• until(S S.old)
• output S

46
Greatest Fix Point EGp

• S p
• repeat
• S.old S
• temp computeEX(S)
• forall (partitions j)
• Sj pj Æ tempj
• end for
• until(S S.old)
• output S

47
Whats the problem?

• Image computation has two parts
• Transitions local to a partition (ij)
• Transitions Crossing over partitions (iltgtj)
• Cross-over images are expensive!
• Get BDDs, maybe from disk
• Store BDDs, maybe over network
• Reorder large BDDs
• The classical algorithm does one set of
  cross-over images during each EX.

48
Outline

• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Experiments and Conclusion

49
Least Fix Point E(pUq)

• S q, S.old NULL
• repeat
• S.old S
• forall (partitions j)
• repeat
• Sj .old Sj
• Sj Sj Ç (pj Æ EXl(Sj , j))
  under-approximate
• until(Sj Sj .old)
• end for
• S S Ç (p Æ EXc(S)) add
  missing states
• until(S S.old)
• output S

50
Greatest Fix Point EGp

• S p
• Border p Æ EXc(S)
  candidate set
• repeat
• S.old S
• forall (partitions j)
• repeat
• Sj .old Sj
• Sj pj Æ (EXl(Sj , j) Ç Borderj) over-approx
• until(Sj Sj .old)
• end for
• Border p Æ EXc(S)
  prune states
• until(S S.old)
• output S

51

• Model Checking
• Experiments and Conclusion

52
VIS Verilog benchmarks
53
(Model Checking) Conclusions

• Assuming a model where cross-over images are
  very expensive, the proposed algorithm
• Is no worse than the classical algorithm
• Converges faster, empirically, in terms of
• Number of cross-over images
• Time spent in cross-over images
• Reduces total model checking time
• Often quite significantly
• Is good for parallel model checking

54
Outline

• Background
• The Partitioning Approach
• Model Checking
• The naïve algorithm
• An improved algorithm
• Bounded Model Checking

55
Exploration of deep state space

• Combining symbolic reachability and SAT-BMC
• Using large computing resources

56
SAT based Model Checking
SAT
57
Combining BDDs and SAT-BMC
58
Outline of methodology

• Partitioned reachability
• Get multiple paths in state space
• Use under-approximation
• During image computations
• During seed selection
• Generate seeds at regular intervals
• Use only a subset
• Start multiple instances of SAT
• In parallel, one from each seed

59
Industrial designs w/error
Comparison against Ketchum Simulation BMC
60
Degree of under-approximation

• POBDD search as directions
• BMC locally complete exploration
• Less under-approximation
• More states in each run
• Larger BDD sizes
• Fewer runs and CPUs total
• More under-approximation
• Fewer states in each run
• smaller BDD sizes
• More CPUs total

61
Selecting optimal approximation

• Less approximation is feasible when
• BMC run-times are not very bad
• Not searching too many directions at once
• Number of CPUs is small
• BDD based image is difficult
• Automatic determination
• Grid controller has knowledge of
• Time taken by jobs
• Number of jobs
• Use multiple sub-grids, pick the best.

62
Grid-BMC times (industrial ckts)
63
Analysis and Observations

• Find errors faster than BDDs alone
• Find errors where BMC runs out of time
• BDD-based seeding of SAT solver
• Better than simulation-based seeding
• Performance on BDD friendly circuits
• Better than BMC or simulation Similar to BDDs
• Sweet spot in approximation vs. performance

64
BDD-seeded BMC Benefits

• Explores deeper state space
• covers new states not visited by SAT or BDD
• Practical for large circuits
• Can go very deep where SAT goes 20-30 deep
• Better coverage than simulation
• Bridges the gap between simulation and FV
• SAT and BDDs complementary
• At large depths, often
• POBDD steps take very less time (eg s13207)
• SAT times usually increase rapidly

65

• Conclusion

66
Summary of research

• Dynamically partitioned BDDs
• Time scalability states vs. time
• Decompositional model checking
• Faster debugging
• Partition as direction
• Deep localized state space exploration

67
Benefits

• Find bugs faster
• Often by many orders of magnitude
• Time scalability
• more time ) more FV
• Improved memory utilization
• Increased capacity
• Handle larger designs
• Better coverage
• Deep state search

68
Appendix

• Other Topics

69
Window functions

• How to partition?
• Non-cube window functions
• Exploiting Non-determinism at the root

70
Static Partitioning

• Window function selection
• fi wi f wi f wi
• Select wi such that f wi and wi are small
• Assign a cost to each PI and ?i
• Partitioning factor max(fx/f, fx/f)
• Minimize the size of the largest partition
• Redundancy factor (fx fx) / f
• Minimize the total work done in creating all
  partitions
• Select the best k variables and make 2k
  partitions

71
Cube-based windows

• Windows as minterm cubes
• Stitched together as a Free-BDD
• Ordered differently along paths
• But reads input only once.
• And has a single deterministic root node.
• Nondeterministic advantage of POBDD lost.
• Can general window functions lead to gain?

72
Composition of functions

• In function F(x1,?,xn,g),
• replace the variable g by function G(x1,?,xn)
• F(gà G) (Fg Æ G) Ç (F g Æ G)
• The complexity is cubic O(F2 G)
• Keep disjunction implicit i.e. as a POBDD
• g and g as window functions
• Complexity is quadratic O(F G)

73
Sequence of Compositions

• In function F(x1,?,xn,g1,?,gk),
• replace gi by Gi(x1,?,xn,g1,?,gi-1)
• The complexity is O( F2k G2k-1)
• Partitioning creates 2k partitions
• Each of size O(F Gk)
• Double exp gain on nested composition

74
Build functions by Decomposition

• Initially build ROBDDs for the function using
  APPLY
• Identify gates where APPLY output is
  disproportionately large
• Introduce at such a gate an auxiliary variable
• Build the output ROBDD using primary inputs and
  auxiliary variables
• Compose decomposed graph to get the canonical BDD
  
• Sequence of nested compositions of auxiliary
  variables corresponding to decomposition points
• Use decomposition points for non-cube windows

75
Generalized Windows

• Non-cube functions as windows
• Exponentially more succinct representation
• Non-determinism at the root
• Double exponential saving if expressed as
  composition
• Can lead to efficiency in time also
• Succinctness not at expense of efficient
  operations
• If Transition Relation can be constructed,
• Need not be implicitly conjoined
• Wasteful repeated computation can be avoided

76
Creating Non-cube windows

• Build Transition relation decompositionally
• Introducing pseudo variables
• Partition when compose blows up
• Each partition constructed and ordered separately
• For each new partition, perform 1 and 2 until all
  decomposition points are composed

77
Non-cube Goal

• Generate Non-cube window functions
• Non-cube based reachability
• Exploit latent efficiency of non-determinism
• Can get intricate
• Ex When window is a large BDD and cannot be
  easily used for calculations
• Enable better representation of the TR
• Reduce wasteful computation