370 likes | 513 Views
Implicit and explicit exploration of the reachable state space of Esterel logical circuits. PhD Defense. Yannis BRES. Advisor: Gérard BERRY. December 12 th , 2002. Outline. Introduction:.
E N D
Implicit and explicit explorationof the reachable state spaceof Esterel logical circuits PhD Defense Yannis BRES Advisor: Gérard BERRY December 12th, 2002
Outline Introduction: Context of this work, the reactive synchronous approach, Esterel, automata and circuits, reachable state space computation, BDDs I – Pure implicit approach: A formal verifier offering variable inputization or abstraction II – Enumerative approach: A versatile engine for the exploration of reachable state spaces: Automaton generation Formal verification Exhaustive test sequence generation Conclusions and future prospects
The reactive synchronous approach Reactive programs: Execution split in reactions (instants), time is discrete Environment analysis then reaction to this environment Synchronous programs: Theoretical simplification: reaction duration is 0, instantaneous broadcast Broad application domain: Real-time systems Control/supervision of industrial processes Embedded systems Physical controlers … Based upon the semantic model of Finite State Machines (FSMs)
Esterel A reactive synchronous imperative language with control-flow dominance Modules/blocks run in parallel or sequentially Modules/blocks can be preempted, suspended and resumed Communication performed through instantaneously broadcast signals Formal semantics module Synchronize : input A, B; output O; [ await A || await B ] ; emit O end module
Explicit automata Central design representation in Esterel v1, v2, v3: automata Automata can be exponentials both: in construction time in storage space module Synchronize : input A, B; output O; [ await A || await B ] ; emit O end module
Circuits Central design representation since Esterel v4: logical circuits Generation time and storage space are linear with respect to source code size
Automata vs. Circuits Let's add a C signal in the previous program…
Automata vs. Circuits Let's add a C signal in the previous program…
Formal verification by observers module Synchronize : input A, B; output O; [ await A || await B ] ; emit O end module abort await O ; emit BUG when A || Observers run in parallel with the program to be verified Answer formally to the question: "can BUG ever be emitted?" Safety properties: "something wrong never occurs" Safety properties: "something good will occur sooner or later"
automatongeneration formalverification equivalencechecking generation ofexhaustivetest sequences Reachable state space computation Cornerstone of numerous applications: reachable statespace computation(RSS)
Reachable state space computation "Onion" representation, by depth level: Initial state States reachable in 1 tick States reachable in 2 ticks States reachable in 3 ticks … Several approaches to RSS computation:
Variable ordering is constant within the whole tree (here: x1 < y1 < x2 < y2) Binary Decision Diagrams (BDDs) Variable node (x1, x2, y1, y2) "When false" path Terminal node (0 or 1 constants) "When true" path x1 (x1 y1) (x2 y2) y1 y1 x2 x2 x2 x2 y2 y2 y2 y2 y2 y2 y2 y2 1 0 0 1 0 0 0 0 0 0 0 0 1 0 0 1
Several simplification rules: Binary Decision Diagrams (BDDs) 1) Useless tests are removed x1 (x1 y1) (x2 y2) y1 y1 x2 x2 x2 0 x2 y2 y2 y2 y2 y2 y2 y2 y2 1 0 0 1 0 0 0 0 0 0 0 0 1 0 0 1
Several simplification rules: Binary Decision Diagrams (BDDs) 1) Useless tests are removed 2) Isomorph nodes/trees are shared x1 (x1 y1) (x2 y2) y1 y1 x2 0 0 x2 y2 y2 y2 y2 1 0 0 1 1 0 0 1
Several simplification rules: Binary Decision Diagrams (BDDs) 1) Useless tests are removed 2) Isomorph nodes/trees are shared 3) Edges are tagged in order to share opposite nodes (not shown here) x1 (x1 y1) (x2 y2) y1 y1 x2 x2 x2 x2 y2 y2 y2 y2 y2 y2 y2 y2 1 0 0 1 0 0 0 0 0 0 0 0 1 0 0 1
In most cases: Binary Decision Diagrams (BDDs) A very compact representation of boolean functions Very efficient algorithms for boolean function manipulations Uses: Representation of functions associated to circuit gates Representation of sets through their caracteristic function Worst-case complexities in both time and space:
Reachable state space computation using BDDs Exponentially complex wrt the number of involved variables: 1 BBD variable per input Intermediate variable: must be , doesn't appear in results 1 BDD variable per state variables (register/latch) Persistent variable: must be , appears in results Goal: reducing the number of state variables!
Outline Introduction: Context of this work, the reactive synchronous approach, Esterel, automata and circuits, reachable state space computation, BDDs I – Pure implicit approach: A formal verifier offering variable inputization or abstraction II – Enumerative approach: A versatile engine for the exploration of reachable state spaces: Automaton generation Formal verification Exhaustive test sequence generation Conclusions and future prospects
Reducing the number of variables A usual technique for state variable number reduction: Turn state variables into free inputs (inputization) + Less variables to substitute = As many variables to Our approach: abstract variables using a ternary-valued logic (0,1,d) Variables to be abstracted are replaced by the constant d (indifferent) + Less variables to substitute + Less variables to Abstracted variables are pre-quantified Ternary-valued logic (0,1,d) :
Inputization and abstraction: example input A, B; output O; [ await A || await B ] ; emit O inputization abstraction
Over-approximation Both inputization and abstraction weakens contraints between variables Conservative over-approximation with respect to the RSS Formal verif.: no erroneous validation, only erroneous refutations "Snowball effect" + Inputization maintains correlation between variable instances r r i i = 0 r r i i = 1 - Abstraction loses correlation between variable instances r r d d = d r r d d = d
+ In practice, when over-approximation races out of control, erroneous refutations arise very quickly and computations stop Over-approximation Both inputization and abstraction weakens contraints between variables Conservative over-approximation with respect to the RSS Formal verif.: no erroneous validation, only erroneous refutations "Snowball effect" + Inputization maintains correlation between variable instances r r i i = 0 r r i i = 1 - Abstraction lose correlation between variable instances r r d d = d r r d d = d - Additional source of over-approximation within the RSS computation when using a ternary-valued logic: set widening
Allows to reduce over-approximation in two ways: RSS ceiling Reinforcement of relations between inputs for inputized variables The Esterel selection tree [ await I1 ;do something; await I2 ;do something || await I3 ;do something] ;await I4 ;do something 1 # 2 3 # 4
Our formal verifier: evcl Esterel Verification Command Line Main functionalities: Variable inputization and abstraction Over-approximation reduction using structural informations White-box (integrated observers) / Black-box (external observers) … > 30 000 lines of C++ (and > 21 000 lines of shared libraries) Experimentations: (Mirage 2000-9 fuel management system, A380 warning system) Abstraction can be up to 26 times faster than inputization When over-approximation races out of control, computations stop quickly Nothing to lose in trying it!
Outline Introduction: Context of this work, the reactive synchronous approach, Esterel, automata and circuits, reachable state space computation, BDDs I – Pure implicit approach: A formal verifier offering variable inputization or abstraction II – Enumerative approach: A versatile engine for the exploration of reachable state spaces: Automaton generation Formal verification Exhaustive test sequence generation Conclusions and future prospects
Reachable state space computation "Onion" representation, by depth level: Initial state States reachable in 1 tick States reachable in 2 ticks States reachable in 3 ticks … Several approaches to RSS computation:
Enumerative RSS computation A versatile engine for the exploration of reachable state spaces: Automaton generation Formal verification Exhaustive test sequence generation States are individually analysed by propagating information within the circuit Pure explicit approach: Transitions analysed through recursive branchings on inputs Hybrid implicit/explicit approach: Transitions analysed through BDD propagations Transparent support for (constructive) cyclic circuits Several heuristics aiming at avoiding time or space explosion Very good performances > 18 000 lines of C++ (and > 21 000 lines of shared libraries)
Automaton generation Central design representation in Esterel v1, v2, v3: automata Risk of explosion in both time and space Central design representation since Esterel v4: logical circuits Basically linear wrt source code in both generation time and storage space Automaton generation has been neglected since v4: v4 generator had very bad performances v4 generator could not handle cyclic circuits … Advantages of automata remain! Usually a very efficient implementation A maximum of the control flow is computed at compilation time Only data-dependent expressions remain to be evaluated at run time Automata explicit numerous informations concerning designs
Automaton generation How to generate an automaton? Enumerative approach practicaly unavoidable (for the respect of action causality) Pure explicit approach better than hybrid approach (too much BDD cofactorisations are required) Our automaton generator, scoc: By far more efficient than the v4 generator Integrated into the Esterel compiler since v5_91 From now on marketed by Esterel Technologies Inc.
Application to formal verification Pure implicit approach unavoidable for most designs Pure implicit approach drawbacks: Behaviour difficult to foresee, risks of explosion Can only be applied to acyclic circuits Very sensitive to redundant registers Enumerative approach pros: Behaviour usually very steady Transparent support for cyclic circuits Non-sensitive to redundant registers or design depth Usually a lot much slower, can only be used in precise cases: Deep designs (SAT ) Designs with numerous redundant registers (BDDs )
Formal verification – experimentations Purely linear testbench (depth: 243; states: 243) Texas Instruments data bus (depth: 181; states: 652 948)
Generation of exhaustive test sequences Finite State Machine semantic model: Generation of exhaustive tests sequences is feasible Different coverage goals: State coverage Coverage of pathes leading to specific signals emission Transition coverage …
Generation of exhaustive test sequences Esterel Technologies approach: pure implicit Standard RSS computation (except for transition coverage) Transitions are built by reverse image computations Coverage data updates BDD updates Complete transition coverage not implemented Only connected state pairs are connected Number of state variables is doubled Enumerative approach is more suited and not sensitive to coverage goal
Conclusions A formal verification tool based on pure implicit approach: Variables can be replaced by free inputs Variables can be abstracted using a ternary-valued logic Over-approximation reduction using structural information White/Black box verification … An engine for the exploration of reachable state spaces: Enumerative analysis of states Explicit or implicit analysis of transitions Versatile: Automaton generation Formal verification Generation of exhaustive test sequences
Future prospects Implicit approach: Automate the selection of variables to inputize/abstract Variable weighting heuristics of Quer/Cabodi et al. ? In case of excessive over-approximation, refine abstraction Counter-example analysis of Clarke/Grumberg et al. Combine variable abstraction and RSS computation decomposition Cho/Govidaraju et al. approaches … Enumerative approach: Compact the known state table Bitstate hashing of Holzmann, hash compaction of Stern/Dill et al. State analysis prioritization (bug chasing) Yang/Dill et al. …