Académique Documents
Professionnel Documents
Culture Documents
INTRODUCTION:
Page 1
Symbolic Model Checking with BDDs
Page 2
Symbolic Model Checking with BDDs
Page 3
Symbolic Model Checking with BDDs
Today, the complexity of both hardware and software designs is growing very
rapidly. Ensuring their correctness has correspondingly become a much more difficult
problem. On the other hand, hardware and software are now an integral part of our daily
life. Their correctness is also correspondingly becoming an indispensable part of the
design process. In particular, for security and safety critical applications, such as
automobiles, medical instruments, highway and air traffic control systems, and electronic
commerce, failure can have catastrophic consequences.
There are four principal verification techniques: simulation, testing, theorem
proving, and model checking. Before we proceed to describe each of these techniques, it
is important to note that the concept of correctness is not absolute. We can only ensure a
design satisfies a given specification. We cannot determine if the specification covers all
the necessary properties.
Traditionally, simulation and testing are the validation techniques of choice. Both
techniques validate the design by observing the outputs of test input patterns. The
simulation is performed on a model of the design, while the testing is performed on the
actual product. These two methods are very effective, particularly early in the design
process when there are many errors. However, they often cannot guarantee the absence of
error as checking all input combinations is rarely possible for complex systems. Theorem
proving and model checking are formal techniques used to address this problem.
Theorem proving uses axioms and proof rules to prove the correctness of systems.
Historically, such proofs were constructed entirely by hand. Today, there are powerful
software tools (theorem provers), such as HOL and PVS , that enforce the correct use of
axioms and proof rules and suggest possible ways to make progress in the proof.
Theorem proving is a very powerful approach and can be applied to infinite state
systems.
Model checking, on the other hand, is an automatic technique for verifying finite
state systems. By restricting the scope to finite state systems, this technique automatically
and exhaustively explores the state space to check whether or not the specification holds.
Given enough computational resources, this procedure will always terminate. If a
property does not hold, an error trace can often be generated automatically as a witness.
Page 4
Symbolic Model Checking with BDDs
For example, if a safety property can be violated, a model checker will generate an error
trace indicating how the system can transition from an initial state to a fault state where
the safety property fails to hold.
The fully automatic aspect of model checking makes it a preferable choice over
theorem proving. Even though model checking is limited to finite-state systems, many
real-world applications are either finite state or can be reduced to finite-state systems. In
particular, model checking has become an important part of the verification process in
hardware companies such as Intel, IBM, and Motorola. Note that there will always be
important applications where model checking fails due to large or infinite state space and
theorem proving is necessary. A recent research trend has been to merge these two
approaches by using model checking for verifying subcomponents and theorem proving
to compose the results back together.
Page 5
Symbolic Model Checking with BDDs
Symbolic model checking addresses this state explosion problem by using a graph
representation called Binary Decision Diagram (BDD). In symbolic model checking,
BDDs are used throughout the entire model checking process: from modeling the system
to verifying properties and generating counter-examples.
The use of BDDs has greatly increased the power of model checking roughly
from 10^5 to 10^30 states (i.e., from 17 to around 100 state bits). Occasionally, systems
with up to 1000 state bits have been successfully verified. However, in terms of real-
world applications, 100 state bits (or even 1000) are fairly small. For example, the
number of latches in today’s digital systems is easily orders of magnitude larger. Thus,
there have been many research efforts in reducing the state space. The main focus has
been in designing high level methodologies such as abstraction, compositional reasoning,
partial ordering reduction and symmetry reduction.
Abstraction reduces the state space by mapping complex components to simple
abstract representations. This is particularly useful for data paths, where large set of data
values are mapped to a small set of abstract values.
Compositional reasoning exploits the modular structure in the design by verifying
each part of a complex system separately and then composes the results to infer the
correctness of the overall system. By focusing the verification on the components rather
than the overall system, the size of the state space can be significantly reduced, because
the size is exponential in the number of components being verified. When there are
mutual dependencies between components, a special strategy called assume guarantee
reasoning is used. In this approach, properties of each part are verified by making
assumptions of other parts’ behaviors. These assumptions must be proved later when the
correctness of other parts are proved to be correct. Since these parts may be mutually
dependent, this approach seems circular; i.e., proving the correctness of one part depends
on making assumptions about the correctness of another part of the system and vice
versa. This seemingly circular reasoning is addressed by using induction on time. More
specifically, the properties of one part are verified for the current time step by making the
assumptions based on the behavior of other parts in the previous time step.
Page 6
Symbolic Model Checking with BDDs
Partial order reduction is targeted to reduce the state space for concurrent
asynchronous systems. This optimization is based on the idea that if different execution
sequences of asynchronous processes cannot be distinguished by the property we want to
check, we only need to consider one representative sequence. Using this approach, the
state space can be greatly reduced because we no longer need to consider all possible
execution sequences.
Symmetry reduction reduces the state space by replacing symmetric structures in
the system by a representative. Symmetry often occurs when components are replicated.
This replication arises naturally in both software protocols and hardware designs; e.g.,
many communication protocols involve interactions between identical processes; in
superscalar processors, the functional units are replicated; the memory hierarchy is also
full of replicated components such as registers, cache lines, and the main memory.
These state-space reduction techniques target different inherent structures in a
model and are complementary to each other. Currently, one disadvantage of these
approaches is that they often require human intervention to identify the inherent
structures and to describe how to exploit these structures. This process can be labor
intensive and may even be error-prone. Much of current research work focuses on how to
automate these techniques.
Page 7
Symbolic Model Checking with BDDs
CONCLUSION:
REFERENCES
• SHIPLE, T. R., HOJATI, R., SANGIOVANNI-VINCENTELLI, A. L., AND
BRAYTON, R. K. Heuristic minimization of BDDs using don’t cares. In
Proceedings of the 31st ACM/IEEE Design Automation Conference.
Page 8