View
219
Download
3
Category
Preview:
Citation preview
Optimizing Symbolic Model Checking
for Constraint-Rich Systems
Randal E. Bryant
Bwolen Yang, Reid Simmons, David R. O’Hallaron
Carnegie Mellon University
2
NASA’s Deep Space One (DS1) Spacecraft
fault diagnosis modelqualitatively describesspacecraft’s behavior
3
Autonomous SpacecraftNASA DS1’s Fault Diagnosis Model
Fault Diagnosis Model component’s interconnections (thrusters, motors, valves…)
component’s state: mode (thruster’s force: low / nominal / high)
Also in Robot Explorer (Nomad: Antarctic meteorite explorer)
Livingstone Diagnostic Engine[William & Nayak ’96]
SensorData
FaultDiagnosis
Model
consistent?
4
Verification of DS1’s Fault Diagnosis Model[Simmons, CMU]
Automatically Translated to SMV Model Checker state transition == component’s mode changes time-invariant constraints
» sensor values and modes» interconnection between components
automatic translation ==> little / no manual optimization» vs. models built from scratch by verification experts
5
Verification of DS1’s Fault Diagnosis ModelChallenge
Failed due to Large Number of State Variables 600-1200 state bits
» model checker’s capacity: ~ a few hundred state bits
Observation dominated by time-invariant constraints
6
Time-Invariant ConstraintsExample 1
Establish Interface
component 2in
min(out, c) == incomponent 1out
c: capacity of the pipe
“in” is redundant
7
Time-Invariant ConstraintsExample 2
Use of Generic Parts (both software / hardware) specific use ==> constraints
bi-directional
specialize
component 2in
component 1out
redundant components!e.g., valves always set to the same direction
8
Time-Invariant ConstraintsObservation 1 (Example 1 + 2)
Many Unnecessary State Variables (macros) Establish Interface
in := min(out, c)
Specific Use of Generic Partsvalve-direction := some constant
(after inlining the module)
9
Time-Invariant ConstraintsExample 3
Indirection (based on the specification)
transition relationnext(bus.state) := complex expression f
invariant constraintsdevice1.output1 := switch (bus.state) …
device1.output2 := switch (bus.state) …
10
Time-Invariant ConstraintsExample 4
Consistent Non-Deterministic Choices
invariant constraintcmd := expression f with non-determinism
(due to incomplete specification or abstraction)
transition relationsnext(device1.output1) := switch (cmd) …
next(device1.output2) := switch (cmd) …
11
Time-Invariant ConstraintsObservation 2 (Example 3 + 4)
Variables w/ Constraints Used in Current State Only Indirection
device1.output1 := switch (bus.state) …
device1.output2 := switch (bus.state) …
Consistent Non-Deterministic Choicescmd := expression f with non-determinism
(due to incomplete specification or abstraction)
==>
Corresponding Next-State BDD Variables NOT Used
early quantification in pre-image computation» pre-image quantifies out next-state variables
12
Time-Invariant ConstraintsExample 5
Conditional Assignments
(tank == non-empty) =>
(out-pressure.sign := positive) &
(out-pressure.relative := nominal)
Note occurs for interface and indirection mostly simple (as above), but sometimes quite complicated
» p1 => ((p2 => (a := …)) & (p3 => (b := …))» most complicated expression has > 10,000 characters
13
Time-Invariant ConstraintsObservation 3 (Example 5)
Combining Time-Invariant ==> Macros
p1 => (a := …)
p2 => (a := …)
p3 => (a := …)
…
==>
a := some deterministic expression
complex expressions ==>
syntactic analysis is insufficient
14
Time-Invariant Constraints arise from modeling may have lots of redundant state bits
Our Solutions remove redundant state variables
» identify macros: assignment-extraction algorithm» select macros: BDD characteristics
partition (conjunctive partitioning) remaining constraints » apply an improved version of [Ranjan et al. ’95] algorithm
Optimizations for Constraint-Rich Models
15
Related Work
[Berthet, et al. ’90]
[Lin & Newton ’91]
[Hu & Dill ’93] [Eijk & Jess ’96]
[Sentovich, et al. ’96]
Problems
require constraints to be
combined first
removal is not always
beneficial
Redundant State-Variable RemovalProblem Statement
c?
v == gif so, v is redundant
replace v with g
Given invariant constraint c and state variable v,
Question
16
Redundant State-Variable RemovalOur Approach: Assignment Extraction Algorithm
ci
v Ginon-deterministic
assignment
If Gi = { gi }, we have v == gi
17
Redundant State-Variable RemovalPartitioned Constraints
c1
v G1
use graph sizes to determine the “goodness” of g
v == g
?
c2
v G2
cn
v Gn
18
Target
To Construct a Solution for Gi
for all k Kv where Kv is the set of possible values of v
ci ==> (v Gi)
Redundant State-Variable Removal Assignment Extraction Algorithm (Core Idea)
ci |v=k ==> (k Gi) [substitute v with k]
Gi = U ( if ci |v=k then { k } else { } ) k Kv
19
image(S) = V. T (S C)
=V W . T [ W. (S C) ]
where T does not depend on variables in W. many variables used only in time-invariant constraint
Represent C as Conjunctive Partition C1 C2 … Cm
monolithic BDD is too large to build
Conjunctive Partitioning of Time-Invariant Constraints
20
1
10
100
1000
10000
100000
acs ds1-b ds1 ds4 f-bus nomad v-gates xavier
orig
new
failed
Optimizations for Constraint-Rich ModelsOverall Impact
tim
e (
sec
)
21
BDD-Based Macro Optimization
Early-Quantification of W forV. T [ W. (S C) ]
without and with macro optimization
Performance Breakdown
22
Effects of BDD-Based Macro(No Early Quantification)
tim
e (
sec
)
1
10
100
1000
10000
100000
acs ds1-b ds1 ds4 f-bus nomad v-gates xavier
None
BDDM
failed
23
Effects of BDD-Based Macro: Causes
% b
dd
va
rs r
emo
ved
0
20
40
60
80
100
acs ds1-b ds1 ds4 f-bus nomad v-gates xavier
24
BDD-Based Macro Optimization
Early-Quantification of W forV. T [ W. (S C) ]
without and with macro optimization
Performance Breakdown
25
Effects of Early Quantification(No Macro Optimization)
tim
e (
sec
)
1
10
100
1000
10000
100000
acs ds1-b ds1 ds4 f-bus nomad v-gates xavier
None
Quan
failed
26
Effects of Early Quantification: Causes(No Macro Optimization)
% b
dd
va
rs e
xtr
act
ed
0
20
40
60
80
100
acs ds1-b ds1 ds4 f-bus nomad v-gates xavier
image
pre-image
Maximum achievable = 50%
27
Effects of Early Quantification (With Macro Optimization)
tim
e (
sec
)
1
10
100
1000
10000
100000
acs ds1-b ds1 ds4 f-bus nomad v-gates xavier
BDDM
Q+BDDM
failed
28
Summary & Future Work
Optimizations for Constraint-Rich Models Enabled verification for DS1’s fault diagnosis model
» 159 specs within 1 min
Typical of effort required to deal with models generated automatically from modular description
BDD Algorithms for Compiler-Type Analysis Assignment-Extraction Algorithm
» cone-of-influence analysis:
exact dependence information
Recommended