1
Implicit and explicit explorationof the reachable state space
of Esterel logical circuits
December 12th, 2002
Yannis BRES
Advisor: Gérard BERRY
PhD Defense
2Outline
Introduction:
Context of this work, the reactive synchronous approach, Esterel, automata and circuits, reachable state space computation, BDDs
I – Pure implicit approach:
A formal verifier offering variable inputization or abstraction
II – Enumerative approach:
A versatile engine for the exploration of reachable state spaces:
Automaton generation
Formal verification
Exhaustive test sequence generation
Conclusions and future prospects
3The reactive synchronous approach
Based upon the semantic model of Finite State Machines (FSMs)
Reactive programs:
Execution split in reactions (instants), time is discrete
Synchronous programs:
Theoretical simplification: reaction duration is 0, instantaneous broadcast
Environment analysis then reaction to this environment
Broad application domain:
Real-time systems
Control/supervision of industrial processes
Embedded systems
Physical controlers
…
4Esterel
A reactive synchronous imperative language with control-flow dominance
Modules/blocks run in parallel or sequentially
Modules/blocks can be preempted, suspended and resumed
Communication performed through instantaneously broadcast signals
Formal semantics
module Synchronize :
input A, B;output O;
[ await A || await B ] ;emit O
end module
5Explicit automata
Central design representation in Esterel v1, v2, v3: automata
module Synchronize :
input A, B;output O;
[ await A || await B ] ;emit O
end module
Automata can be exponentials both:
in construction time
in storage space
6Circuits
Central design representation since Esterel v4: logical circuits
Generation time and storage space are linear with respect to source code size
7Automata vs. Circuits
Let's add a C signal in the previous program…
8Automata vs. Circuits
Let's add a C signal in the previous program…
9Formal verification by observers
module Synchronize :
input A, B;output O;
[ await A || await B ] ;emit O
end module
abortawait O ;emit BUG
when A||
Observers run in parallel with the program to be verified
Safety properties:
"something wrong never occurs"
Safety properties:
"something good will occur sooner or later"
Answer formally to the question: "can BUG ever be emitted?"
10Reachable state space computation
reachable statespace computation
(RSS)
Cornerstone of numerous applications:
automatongeneration
generation ofexhaustive
test sequences
formalverification
equivalencechecking
11Reachable state space computation
approach state analysistransitionanalysis
pure implicit BDDs
enumerativeimplicit
explicit explicit
Several approaches to RSS computation:
"Onion" representation, by depth level:
Initial state
States reachable in 1 tick
States reachable in 2 ticks
States reachable in 3 ticks
…
12Binary Decision Diagrams (BDDs)
Variable ordering is constant within the whole tree (here: x1 < y1 < x2 < y2)
Variable node (x1, x2, y1, y2)
Terminal node (0 or 1 constants)
"When false" path
"When true" path
x1
y1 y1
x2 x2 x2 x2
y2 y2 y2 y2 y2 y2 y2 y2
1 0 0 1 0 0 0 0 0 0 0 0 1 0 0 1
(x1 y1) (x2 y2)
13Binary Decision Diagrams (BDDs)
Several simplification rules:
x1
y1 y1
x2 x2 x2 x2
y2 y2 y2 y2 y2 y2 y2 y2
1 0 0 1 0 0 0 0 0 0 0 0 1 0 0 1
1)
0
Useless tests are removed
(x1 y1) (x2 y2)
14Binary Decision Diagrams (BDDs)
Several simplification rules:
x1
y1 y1
x2 x2
y2 y2 y2 y2
1 0 0 1
0
1 0 0 1
1)
0
2)
Useless tests are removed
Isomorph nodes/trees are shared
(x1 y1) (x2 y2)
15Binary Decision Diagrams (BDDs)
Several simplification rules:
1)
2)
3)
x2 x2 x2
y2 y2 y2 y2 y2 y2
1 0 0 1 0 0 0 0 0 0 0 0 0 1
x1
y1 y1
x2
y2 y2
1 0
Useless tests are removed
Isomorph nodes/trees are shared
Edges are tagged in order to share opposite nodes (not shown here)
(x1 y1) (x2 y2)
16Binary Decision Diagrams (BDDs)
Worst-case complexities in both time and space:
In most cases:
Very efficient algorithms for boolean function manipulations
A very compact representation of boolean functions
Representation of sets through their caracteristic function
Representation of functions associated to circuit gates
Uses:
=, - constant
, quadratic
, substitutions exponential
17Reachable state space computation using BDDs
Exponentially complex wrt the number of involved variables:
1 BBD variable per input
Intermediate variable: must be , doesn't appear in results
1 BDD variable per state variables (register/latch)
Goal: reducing the number of state variables!
Persistent variable: must be , appears in results
18Outline
Introduction:
Context of this work, the reactive synchronous approach, Esterel, automata and circuits, reachable state space computation, BDDs
I – Pure implicit approach:
A formal verifier offering variable inputization or abstraction
II – Enumerative approach:
A versatile engine for the exploration of reachable state spaces:
Automaton generation
Formal verification
Exhaustive test sequence generation
Conclusions and future prospects
19Reducing the number of variables
A usual technique for state variable number reduction:
Turn state variables into free inputs (inputization)
Less variables to substitute
As many variables to
Our approach: abstract variables using a ternary-valued logic (0,1,d)
Variables to be abstracted are replaced by the constant d (indifferent)
Less variables to substitute
Less variables to
Ternary-valued logic (0,1,d) :
0 1
1 0
d d
0 1 d
0 0 0 0
1 0 1 d
d 0 d d
0 1 d
0 0 1 d
1 1 1 1
d d 1 d
v v0 v1
0 1 0
1 0 1
d 0 0
+
++
=
Abstracted variables are pre-quantified
20Inputization and abstraction: example
input A, B;output O;
[ await A || await B ] ;emit O
inputization abstraction
21Over-approximation
Both inputization and abstraction weakens contraints between variables Conservative over-approximation with respect to the RSS
"Snowball effect"Inputization maintains correlation between variable instances
r r i i = 0 r r i i = 1Abstraction loses correlation between variable instances
r r d d = d r r d d = d
Formal verif.: no erroneous validation, only erroneous refutations
+
-
22Over-approximation
Both inputization and abstraction weakens contraints between variables Conservative over-approximation with respect to the RSS
"Snowball effect"Inputization maintains correlation between variable instances
r r i i = 0 r r i i = 1Abstraction lose correlation between variable instances
r r d d = d r r d d = d
Formal verif.: no erroneous validation, only erroneous refutations
Additional source of over-approximation within the RSS computation when using a ternary-valued logic: set widening
+
--
In practice, when over-approximation races out of control, erroneous refutations arise very quickly and computations stop
+
23The Esterel selection tree
[await I1 ;do something ;await I2 ;do something
||await I3 ;do something
] ;await I4 ;do something
1
2
3
4
#
#
Allows to reduce over-approximation in two ways:
Reinforcement of relations between inputs for inputized variables
RSS ceiling
24Our formal verifier: evcl
Esterel Verification Command Line
Main functionalities:
Over-approximation reduction using structural informations
White-box (integrated observers) / Black-box (external observers)
…
> 30 000 lines of C++ (and > 21 000 lines of shared libraries)
Variable inputization and abstraction
Experimentations:
(Mirage 2000-9 fuel management system, A380 warning system)
Abstraction can be up to 26 times faster than inputization
When over-approximation races out of control, computations stop quickly
Nothing to lose in trying it!
25Outline
Introduction:
Context of this work, the reactive synchronous approach, Esterel, automata and circuits, reachable state space computation, BDDs
I – Pure implicit approach:
A formal verifier offering variable inputization or abstraction
II – Enumerative approach:
A versatile engine for the exploration of reachable state spaces:
Automaton generation
Formal verification
Exhaustive test sequence generation
Conclusions and future prospects
26Reachable state space computation
approach state analysistransitionanalysis
pure implicit BDDs
enumérativeimplicit
explicit explicit
Several approaches to RSS computation:
"Onion" representation, by depth level:
Initial state
States reachable in 1 tick
States reachable in 2 ticks
States reachable in 3 ticks
…
27Enumerative RSS computation
A versatile engine for the exploration of reachable state spaces:
States are individually analysed by propagating information within the circuit
Pure explicit approach:
Transitions analysed through recursive branchings on inputs
Hybrid implicit/explicit approach:
Transitions analysed through BDD propagations
Automaton generation
Transparent support for (constructive) cyclic circuits
Several heuristics aiming at avoiding time or space explosion
Very good performances
> 18 000 lines of C++ (and > 21 000 lines of shared libraries)
Formal verification
Exhaustive test sequence generation
28Automaton generation
Risk of explosion in both time and space
A maximum of the control flow is computed at compilation time
Usually a very efficient implementation
Only data-dependent expressions remain to be evaluated at run time
Central design representation in Esterel v1, v2, v3: automata
Central design representation since Esterel v4: logical circuits
Automaton generation has been neglected since v4:
v4 generator had very bad performances
Automata explicit numerous informations concerning designs
Basically linear wrt source code in both generation time and storage space
Advantages of automata remain!
v4 generator could not handle cyclic circuits
…
29Automaton generation
Enumerative approach practicaly unavoidable
Pure explicit approach better than hybrid approach
How to generate an automaton?
Our automaton generator, scoc:
By far more efficient than the v4 generator
Integrated into the Esterel compiler since v5_91
(too much BDD cofactorisations are required)
(for the respect of action causality)
From now on marketed by Esterel Technologies Inc.
30Application to formal verification
Pure implicit approach unavoidable for most designs
Pure implicit approach drawbacks:
Behaviour difficult to foresee, risks of explosion
Can only be applied to acyclic circuits
Very sensitive to redundant registers
Enumerative approach pros:
Behaviour usually very steady
Transparent support for cyclic circuits
Non-sensitive to redundant registers or design depth
Usually a lot much slower, can only be used in precise cases:
Deep designs (SAT )Designs with numerous redundant registers (BDDs )
31Formal verification – experimentations
Purely linear testbench (depth: 243; states: 243)
Texas Instruments data bus (depth: 181; states: 652 948)
SAT (Prover)pure implicit
approachpure explicit
approachimplicit / explicit
approach
no result after >3h 39mn 1.6s 1.8s
< 40 Mb 8.5 Mb insignifiant memory consumption
SAT (Prover)pure implicit
approachpure explicit
approachimplicit / explicit
approach
nothing afterseveral hours
17mn: (depth 9)
2h 33mn 3h 09mn
??? 2 Gb 104 Mb 110 Mb
32Generation of exhaustive test sequences
Finite State Machine semantic model:
Different coverage goals:
State coverage
Coverage of pathes leading to specific signals emission
Transition coverage
…
Generation of exhaustive tests sequences is feasible
33Generation of exhaustive test sequences
Esterel Technologies approach: pure implicit
Standard RSS computation (except for transition coverage)
Transitions are built by reverse image computations
Coverage data updates BDD updates
Complete transition coverage not implemented
Only connected state pairs are connected
Enumerative approach is more suited and not sensitive to coverage goal
Number of state variables is doubled
34State coverage – Experimentations
design statesimplicit approach
implicit / explicitapproach ratio
# sequ. time # sequ. time
NDA 10 4 0.10 4 0.03 3.5
Arbiter12 13 cyclic 1 0.03
NDA 21 8 0.09 8 0.03 3.5
Wristwatch 41 16 1.39 16 0.09 16
NDA 65 63 0.74 63 0.07 11
ATDS-100-C2 81 35 3.58 37 0.10 36
Renault 161 99 13.57 105 0.35 39
Testbench 243 killed after >>1h 1 3.16
TCINT 310 140 33.36 140 0.39 86
NDA 535 307 35.57 308 0.47 76
NDA 875 462 16.57 489 0.43 39
35Conclusions
A formal verification tool based on pure implicit approach:
An engine for the exploration of reachable state spaces:
Automaton generation
Formal verification
Variables can be replaced by free inputs
Variables can be abstracted using a ternary-valued logic
Over-approximation reduction using structural information
White/Black box verification
…
Enumerative analysis of states
Generation of exhaustive test sequences
Explicit or implicit analysis of transitions
Versatile:
36Future prospects
Implicit approach:
Variable weighting heuristics of Quer/Cabodi et al. ?
Automate the selection of variables to inputize/abstract
Combine variable abstraction and RSS computation decomposition
Enumerative approach:
Compact the known state table
State analysis prioritization (bug chasing)
In case of excessive over-approximation, refine abstraction
Counter-example analysis of Clarke/Grumberg et al.
Cho/Govidaraju et al. approaches
…
Bitstate hashing of Holzmann, hash compaction of Stern/Dill et al.
Yang/Dill et al.
…