implicit and explicit exploration of the reachable state space of esterel logical circuits

1

Implicit and explicit explorationof the reachable state space

of Esterel logical circuits

December 12th, 2002

Yannis BRES

Advisor: Gérard BERRY

PhD Defense

2Outline

Introduction:

Context of this work, the reactive synchronous approach, Esterel, automata and circuits, reachable state space computation, BDDs

I – Pure implicit approach:

A formal verifier offering variable inputization or abstraction

II – Enumerative approach:

A versatile engine for the exploration of reachable state spaces:

Automaton generation

Formal verification

Exhaustive test sequence generation

Conclusions and future prospects

3The reactive synchronous approach

Based upon the semantic model of Finite State Machines (FSMs)

Reactive programs:

Execution split in reactions (instants), time is discrete

Synchronous programs:

Theoretical simplification: reaction duration is 0, instantaneous broadcast

Environment analysis then reaction to this environment

Broad application domain:

Real-time systems

Control/supervision of industrial processes

Embedded systems

Physical controlers

…

4Esterel

A reactive synchronous imperative language with control-flow dominance

Modules/blocks run in parallel or sequentially

Modules/blocks can be preempted, suspended and resumed

Communication performed through instantaneously broadcast signals

Formal semantics

module Synchronize :

input A, B;output O;

[ await A || await B ] ;emit O

end module

5Explicit automata

Central design representation in Esterel v1, v2, v3: automata




end module

Automata can be exponentials both:

in construction time

in storage space

6Circuits

Central design representation since Esterel v4: logical circuits

Generation time and storage space are linear with respect to source code size

7Automata vs. Circuits

Let's add a C signal in the previous program…

8Automata vs. Circuits

Let's add a C signal in the previous program…

9Formal verification by observers




end module

abortawait O ;emit BUG

when A||

Observers run in parallel with the program to be verified

Safety properties:

"something wrong never occurs"

Safety properties:

"something good will occur sooner or later"

Answer formally to the question: "can BUG ever be emitted?"

10Reachable state space computation

reachable statespace computation

(RSS)

Cornerstone of numerous applications:

automatongeneration

generation ofexhaustive

test sequences

formalverification

equivalencechecking


approach state analysistransitionanalysis

pure implicit BDDs

enumerativeimplicit

explicit explicit

Several approaches to RSS computation:

"Onion" representation, by depth level:

Initial state

States reachable in 1 tick

States reachable in 2 ticks


…

12Binary Decision Diagrams (BDDs)

Variable ordering is constant within the whole tree (here: x1 < y1 < x2 < y2)

Variable node (x1, x2, y1, y2)

Terminal node (0 or 1 constants)

"When false" path

"When true" path

x1

y1 y1

x2 x2 x2 x2

y2 y2 y2 y2 y2 y2 y2 y2

1 0 0 1 0 0 0 0 0 0 0 0 1 0 0 1

(x1 y1) (x2 y2)


Several simplification rules:

x1

y1 y1

x2 x2 x2 x2

y2 y2 y2 y2 y2 y2 y2 y2

1 0 0 1 0 0 0 0 0 0 0 0 1 0 0 1

1)

0

Useless tests are removed

(x1 y1) (x2 y2)



x1

y1 y1

x2 x2

y2 y2 y2 y2

1 0 0 1

0

1 0 0 1

1)

0

2)


Isomorph nodes/trees are shared

(x1 y1) (x2 y2)



1)

2)

3)

x2 x2 x2

y2 y2 y2 y2 y2 y2

1 0 0 1 0 0 0 0 0 0 0 0 0 1

x1

y1 y1

x2

y2 y2

1 0


Isomorph nodes/trees are shared

Edges are tagged in order to share opposite nodes (not shown here)

(x1 y1) (x2 y2)


Worst-case complexities in both time and space:

In most cases:

Very efficient algorithms for boolean function manipulations

A very compact representation of boolean functions

Representation of sets through their caracteristic function

Representation of functions associated to circuit gates

Uses:

=, - constant

, quadratic

, substitutions exponential

17Reachable state space computation using BDDs

Exponentially complex wrt the number of involved variables:

1 BBD variable per input

Intermediate variable: must be , doesn't appear in results

1 BDD variable per state variables (register/latch)

Goal: reducing the number of state variables!

Persistent variable: must be , appears in results

18Outline

Introduction:







Formal verification



19Reducing the number of variables

A usual technique for state variable number reduction:

Turn state variables into free inputs (inputization)

Less variables to substitute

As many variables to

Our approach: abstract variables using a ternary-valued logic (0,1,d)

Variables to be abstracted are replaced by the constant d (indifferent)

Less variables to substitute

Less variables to

Ternary-valued logic (0,1,d) :

0 1

1 0

d d

0 1 d

0 0 0 0

1 0 1 d

d 0 d d

0 1 d

0 0 1 d

1 1 1 1

d d 1 d

v v0 v1

0 1 0

1 0 1

d 0 0

+

++

=

Abstracted variables are pre-quantified

20Inputization and abstraction: example



inputization abstraction

21Over-approximation

Both inputization and abstraction weakens contraints between variables Conservative over-approximation with respect to the RSS

"Snowball effect"Inputization maintains correlation between variable instances

r r i i = 0 r r i i = 1Abstraction loses correlation between variable instances

r r d d = d r r d d = d

Formal verif.: no erroneous validation, only erroneous refutations

+

-

22Over-approximation

Both inputization and abstraction weakens contraints between variables Conservative over-approximation with respect to the RSS

"Snowball effect"Inputization maintains correlation between variable instances

r r i i = 0 r r i i = 1Abstraction lose correlation between variable instances

r r d d = d r r d d = d

Formal verif.: no erroneous validation, only erroneous refutations

Additional source of over-approximation within the RSS computation when using a ternary-valued logic: set widening

+

--

In practice, when over-approximation races out of control, erroneous refutations arise very quickly and computations stop

+

23The Esterel selection tree

[await I1 ;do something ;await I2 ;do something

||await I3 ;do something

] ;await I4 ;do something

1

2

3

4

#

#

Allows to reduce over-approximation in two ways:

Reinforcement of relations between inputs for inputized variables

RSS ceiling

24Our formal verifier: evcl

Esterel Verification Command Line

Main functionalities:

Over-approximation reduction using structural informations

White-box (integrated observers) / Black-box (external observers)

…

> 30 000 lines of C++ (and > 21 000 lines of shared libraries)

Variable inputization and abstraction

Experimentations:

(Mirage 2000-9 fuel management system, A380 warning system)

Abstraction can be up to 26 times faster than inputization

When over-approximation races out of control, computations stop quickly

Nothing to lose in trying it!

25Outline

Introduction:







Formal verification




approach state analysistransitionanalysis

pure implicit BDDs

enumérativeimplicit

explicit explicit

Several approaches to RSS computation:

"Onion" representation, by depth level:

Initial state

States reachable in 1 tick



…

27Enumerative RSS computation


States are individually analysed by propagating information within the circuit

Pure explicit approach:

Transitions analysed through recursive branchings on inputs

Hybrid implicit/explicit approach:

Transitions analysed through BDD propagations


Transparent support for (constructive) cyclic circuits

Several heuristics aiming at avoiding time or space explosion

Very good performances

> 18 000 lines of C++ (and > 21 000 lines of shared libraries)

Formal verification


28Automaton generation

Risk of explosion in both time and space

A maximum of the control flow is computed at compilation time

Usually a very efficient implementation

Only data-dependent expressions remain to be evaluated at run time

Central design representation in Esterel v1, v2, v3: automata

Central design representation since Esterel v4: logical circuits

Automaton generation has been neglected since v4:

v4 generator had very bad performances

Automata explicit numerous informations concerning designs

Basically linear wrt source code in both generation time and storage space

Advantages of automata remain!

v4 generator could not handle cyclic circuits

…

29Automaton generation

Enumerative approach practicaly unavoidable

Pure explicit approach better than hybrid approach

How to generate an automaton?

Our automaton generator, scoc:

By far more efficient than the v4 generator

Integrated into the Esterel compiler since v5_91

(too much BDD cofactorisations are required)

(for the respect of action causality)

From now on marketed by Esterel Technologies Inc.

30Application to formal verification

Pure implicit approach unavoidable for most designs

Pure implicit approach drawbacks:

Behaviour difficult to foresee, risks of explosion

Can only be applied to acyclic circuits

Very sensitive to redundant registers

Enumerative approach pros:

Behaviour usually very steady

Transparent support for cyclic circuits

Non-sensitive to redundant registers or design depth

Usually a lot much slower, can only be used in precise cases:

Deep designs (SAT )Designs with numerous redundant registers (BDDs )

31Formal verification – experimentations

Purely linear testbench (depth: 243; states: 243)

Texas Instruments data bus (depth: 181; states: 652 948)

SAT (Prover)pure implicit

approachpure explicit

approachimplicit / explicit

approach

no result after >3h 39mn 1.6s 1.8s

< 40 Mb 8.5 Mb insignifiant memory consumption

SAT (Prover)pure implicit

approachpure explicit

approachimplicit / explicit

approach

nothing afterseveral hours

17mn: (depth 9)

2h 33mn 3h 09mn

??? 2 Gb 104 Mb 110 Mb

32Generation of exhaustive test sequences

Finite State Machine semantic model:

Different coverage goals:

State coverage

Coverage of pathes leading to specific signals emission

Transition coverage

…

Generation of exhaustive tests sequences is feasible

33Generation of exhaustive test sequences

Esterel Technologies approach: pure implicit

Standard RSS computation (except for transition coverage)

Transitions are built by reverse image computations

Coverage data updates BDD updates

Complete transition coverage not implemented

Only connected state pairs are connected

Enumerative approach is more suited and not sensitive to coverage goal

Number of state variables is doubled

34State coverage – Experimentations

design statesimplicit approach

implicit / explicitapproach ratio

# sequ. time # sequ. time

NDA 10 4 0.10 4 0.03 3.5

Arbiter12 13 cyclic 1 0.03

NDA 21 8 0.09 8 0.03 3.5

Wristwatch 41 16 1.39 16 0.09 16

NDA 65 63 0.74 63 0.07 11

ATDS-100-C2 81 35 3.58 37 0.10 36

Renault 161 99 13.57 105 0.35 39

Testbench 243 killed after >>1h 1 3.16

TCINT 310 140 33.36 140 0.39 86

NDA 535 307 35.57 308 0.47 76

NDA 875 462 16.57 489 0.43 39

35Conclusions

A formal verification tool based on pure implicit approach:

An engine for the exploration of reachable state spaces:


Formal verification

Variables can be replaced by free inputs

Variables can be abstracted using a ternary-valued logic

Over-approximation reduction using structural information

White/Black box verification

…

Enumerative analysis of states

Generation of exhaustive test sequences

Explicit or implicit analysis of transitions

Versatile:

36Future prospects

Implicit approach:

Variable weighting heuristics of Quer/Cabodi et al. ?

Automate the selection of variables to inputize/abstract

Combine variable abstraction and RSS computation decomposition

Enumerative approach:

Compact the known state table

State analysis prioritization (bug chasing)

In case of excessive over-approximation, refine abstraction

Counter-example analysis of Clarke/Grumberg et al.

Cho/Govidaraju et al. approaches

…

Bitstate hashing of Holzmann, hash compaction of Stern/Dill et al.

Yang/Dill et al.

…

implicit and explicit exploration of the reachable state space of esterel logical circuits

Documents