UNIVERSITY OF TWENTE. Formal Methods & Tools. Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part III: Symbolic Jaco van de Pol 30, 31 October 2014 VTSA 2014, Luxembourg ... Binary Decision Diagrams - storing vectors of sets concisely Symbolic Reachability LTSmin Sylvan: Multi-core BDDs ... TableUNIVERSITY of Contents OF TWENTE. 1 Binary Decision Diagrams - storing vectors of sets concisely Definition Implementation 2 Symbolic Reachability Next-state by Relational Product Partitioning of next-state 3 Symbolic Model Checking in LTSmin PINS interface and Local Transition Caching Multi-valued Decision Diagrams 4 Sylvan: Multi-core BDDs Data Structures Work Stealing Parallelism at a higher level Experiments Multi-core Model Checking 30, 31 October 2014 2 / 61 ... Binary Decision Diagrams - storing vectors of sets concisely Symbolic Reachability LTSmin Sylvan: Multi-core BDDs ... SourcesUNIVERSITY on OF Binary TWENTE. Decision Diagrams Papers/Tutorials (1990's) I H.R. Andersen, An Introduction to Binary Decision Diagrams I R.E. Bryant, Symbolic Boolean Manipulation with Ordered Binary-Decision Diagrams Tools I BDD-packages: BuDDy, CuDD, Java(B)DD, multi-core: Sylvan I Symbolic model checker: nuSMV http://nusmv.fbk.eu/ I LTSmin: http://fmt.cs.utwente.nl/tools/ltsmin/ Multi-core Model Checking 30, 31 October 2014 3 / 61 ... Binary Decision Diagrams - storing vectors of sets concisely Symbolic Reachability LTSmin Sylvan: Multi-core BDDs ... BinaryUNIVERSITY Decision OF TWENTE. Diagrams Binary Decision Diagram I A Binary Decision Diagram is a directed acyclic graph I Its internal nodes are ordered, binary (called low, high) I Its internal nodes are labeled by variables I Its leaves are labeled by 0 or 1 Example Conventions I Internal nodes are drawn as circles X I High edges are drawn solid I Low edges are drawn dashed Y Y I Leaves are drawn as boxes, with 0 or 1 I \If X is true, then high, else low branch" 1 0 I Formula on the left: X , Y Multi-core Model Checking 30, 31 October 2014 4 / 61 ... Binary Decision Diagrams - storing vectors of sets concisely Symbolic Reachability LTSmin Sylvan: Multi-core BDDs ... HowUNIVERSITY to interpret OF TWENTE. a BDD? Boolean Functions { or sets of Boolean vectors I Let X = fx1;:::; xng be Boolean variables I A valuation is a function X ! f0; 1g I A BDD represents a set of valuations I all valuations that lead from the root to leaf 1 are in the set I valuations that lead from the root to leaf 0 are not in the set n I Equivalently, a BDD represents a function f0; 1g ! f0; 1g Hint X You can read the BDD as one of: B1 B2 I If X then B1 else B2. Notation: X ! B1; B2 I (X ^ B1) _ (:X ^ B2). Multi-core Model Checking 30, 31 October 2014 5 / 61 ... Binary Decision Diagrams - storing vectors of sets concisely Symbolic Reachability LTSmin Sylvan: Multi-core BDDs ... ExamplesUNIVERSITY OF TWENTE. Basic Boolean Connectives x :x x ^ y x _ y X X X X Y Y 1 0 0 1 1 0 1 0 Propositional logic formulas I Apparently, BDDs form an alternative to proposition logic. I Recall negation : and the binary connectives: ^, _, ), , I How many binary operators are possible? . sufficient? I Introduce one ternary operator: x ! s; t;... sufficient basis! Multi-core Model Checking 30, 31 October 2014 6 / 61 ... Binary Decision Diagrams - storing vectors of sets concisely Symbolic Reachability LTSmin Sylvan: Multi-core BDDs ... MoreUNIVERSITY Examples OF TWENTE. Three times: (x ^ y) _ z X X X Y Y Y Z Z Z Z Z Z Y 1 1 1 0 0 1 0 1 0 Reduced BDDs: Ordered BDDs: I no duplicate nodes I The order of the vars is fixed I no redundant tests I The order impacts BDD size Multi-core Model Checking 30, 31 October 2014 7 / 61 ... Binary Decision Diagrams - storing vectors of sets concisely Symbolic Reachability LTSmin Sylvan: Multi-core BDDs ... ReducedUNIVERSITY Ordered OF TWENTE. BDDs (ROBDD = OBDD) Reduced BDDs A BDD is called reduced iff: I No duplicate leafs: There is at most one leaf with label 0 and one with label 1. I No duplicate nodes: For all nodes v; w, if var(v) = var(w), low(v) = low(w) and high(v) = high(w), then v = w. I No redundant tests: For all nodes v, low(v) 6= high(v). Ordered BDDs A BDD is called ordered iff I there exists an ordering x1 < x2 < ··· < xn, such that I for all nodes v in the BDD, var(v) < var(low(v)) and var(v) < var(high(v)) Multi-core Model Checking 30, 31 October 2014 8 / 61 ... Binary Decision Diagrams - storing vectors of sets concisely Symbolic Reachability LTSmin Sylvan: Multi-core BDDs ... StepwiseUNIVERSITY transformation OF TWENTE. from BDD to (R)OBDD A BDD can (in principle) be transformed to an OBDD by repeated application of the following transformation rules: Stepwise reduction Stepwise ordering I Re-order nodes (p < q) I Eliminate duplicate nodes: q p X X X ) p C ) q q A B A B A B A B C I Eliminate redundant tests: I Eliminate double tests X p p ) A p C ) A C A A B Multi-core Model Checking 30, 31 October 2014 9 / 61 ... Binary Decision Diagrams - storing vectors of sets concisely Symbolic Reachability LTSmin Sylvan: Multi-core BDDs ... VariableUNIVERSITY ordering OF TWENTE. can make an exponential difference ( x1 , y1) ^ (x2 , y2) ^ (x3 , y3) (edges to 0 are suppressed) x1 <x2 <x3 <y1 <y2 <y3 ............... x1 <y1 <x2 <y2 <x3 <y3 x1 x1 x2 x2 y1 y1 x3 x3 x3 x3 x2 y1 y1 y1 y1 y1 y1 y1 y1 y2 y2 y2 y2 y2 y2 x3 y3 y3 y3 y3 1 1 3:2n − 2 nodes 3:n + 1 nodes Multi-core Model Checking 30, 31 October 2014 10 / 61 ... Binary Decision Diagrams - storing vectors of sets concisely Symbolic Reachability LTSmin Sylvan: Multi-core BDDs ... TheoreticalUNIVERSITY OF Results TWENTE. Existence and Uniqueness For a fixed variable ordering (X ; <): I every Boolean function can be represented, I by a canonical (unique up to isomorphism) OBDD Ordering I The chosen ordering has a huge impact on the OBDD size I Finding the optimal ordering is NP-hard I Some functions only admit exponentially large OBDDs I E.g.: multiplication P(~x;~y;~z) such that (x1 ::: xn) ∗ (y1 ::: yn) = (z1 ::: z2n) needs O(2n) OBDD nodes, whatever ordering is chosen I In practice, many functions have small OBDD representations Multi-core Model Checking 30, 31 October 2014 11 / 61 ... Binary Decision Diagrams - storing vectors of sets concisely Symbolic Reachability LTSmin Sylvan: Multi-core BDDs ... TableUNIVERSITY of Contents OF TWENTE. 1 Binary Decision Diagrams - storing vectors of sets concisely Definition Implementation 2 Symbolic Reachability Next-state by Relational Product Partitioning of next-state 3 Symbolic Model Checking in LTSmin PINS interface and Local Transition Caching Multi-valued Decision Diagrams 4 Sylvan: Multi-core BDDs Data Structures Work Stealing Parallelism at a higher level Experiments Multi-core Model Checking 30, 31 October 2014 12 / 61 ... Binary Decision Diagrams - storing vectors of sets concisely Symbolic Reachability LTSmin Sylvan: Multi-core BDDs ... OBDDUNIVERSITY packages OF TWENTE. Regard OBDD as abstract datatype I Manipulation of OBDDs through pointers / objects I Basic constructors ensure invariant \Reduced & Ordered" I Operations on OBDDs implement logical connectives: Illustration (5 < 100 functions in C-interface of BuDDy) BDD bdd_high (BDD r) BDD bdd_not (BDD r) BDD bdd_apply (BDD l, BDD r, int op) BDD bdd_exist (BDD r, BDD var) BDD bdd_relprod (BDD l, BDD r, BDD var) Implementation I Data structures (unique table, operation caches) I Operations are based on a generic Apply-function Multi-core Model Checking 30, 31 October 2014 13 / 61 ... Binary Decision Diagrams - storing vectors of sets concisely Symbolic Reachability LTSmin Sylvan: Multi-core BDDs ... DataUNIVERSITY structure: OF TWENTE. Unique Table Keep maximal sharing and avoid redundant tests I This is a hash table, to ensure unicity of all BDD nodes I It assigns a unique number to each triple: N $ hvar; NL; NH i I One can lookup var(N), low(N), high(N) in O(1) time. MakeNode(x; NL; NH ) = N (create new nodes) Require: variable x, nodes NL, NH Ensure: a unique node N denoting (:x ^ NL) _ (x ^ NH ) 1: if NL = NH then 2: N := NL 3: else if hx; NL; NH i is in the unique table then 4: N := lookup(x; NL; NH ) 5: else 6: N := insert new entry(x; NL; NH ) in the unique table 7: end if Multi-core Model Checking 30, 31 October 2014 14 / 61 ... Binary Decision Diagrams - storing vectors of sets concisely Symbolic Reachability LTSmin Sylvan: Multi-core BDDs ... NaiveUNIVERSITY function OF TWENTE. for conjunction: ^ ApplyAnd(N1; N2) = N Require: BDD nodes N1, N2 Ensure: BDD node N representing N1 ^ N2 1: if N1 = 0, N1 = 1, N2 = 0, or N2 = 1 then 2: N := 0, N2, 0, N1, respectively 3: else 4: x1; l1; r1 := var(N1); low(N1); high(N1) 5: x2; l2; r2 := var(N2); low(N2); high(N2) 6: if x1 = x2 then 7: N := MakeNode(x1,ApplyAnd(l1; l2),ApplyAnd(r1; r2)) 8: else if x1 < x2 then 9: N := MakeNode(x1,ApplyAnd(l1; N2),ApplyAnd(r1; N2)) 10: else if x1 > x2 then 11: N := MakeNode(x2,ApplyAnd(N1; l2),ApplyAnd(N1; r2)) 12: end if 13: end if Multi-core Model Checking 30, 31 October 2014 15 / 61 ... Binary Decision Diagrams - storing vectors of sets concisely Symbolic Reachability LTSmin Sylvan: Multi-core BDDs ... ProblemUNIVERSITY with OF naiveTWENTE. recursion Naive Complexity I Consider a BDD with n nodes, but a lot of sharing n I The BDD can have O(2 ) different paths (!) n I Hence the naive APPLY takes O(2 ) recursive calls Solution: Dynamic Programming I Store all intermediate results in an operation cache I first check if the result is already in the cache I if not, compute it and put the result in the cache I This is a well-known technique, e.g.