Post on 16-Dec-2015
Syntax-driven partitioning for model-checking of Esterel
programs
Eric Vecchié - INRIA Aoste
Motivation
• Build the Reachable State Space…
• …following the syntaxabort P when S;Q
• Reachable State Space allows– Model-checking– Code optimization– Test sequence generation– …
R ← INITnew ← Rwhile ( new ≠ ø ) do new ← Image(new) \ R R ← R U newend while
Reachable State Space
• Breadth First Search algorithm
• Symbolic methods (BDDs)
What is done
Size of Computations
Solution : Rely on program structural syntax
BDDsize
states reached
non-saturatedstates set
What we do
Example : Wristwatch
display
watch
time_setalarm_set
stopwatch
Example : Wristwatch
Example : Wristwatch
How to partition ?
• According to program blocks
– Separated by frontiers– Synthesized from signal receptions
• Build a control flow graph
– Encoding frontiers– Guiding the RSS computation
Preemption / if-then-else
P
Q
P1 P2
Q
S
S
abort
Pwhen S;present T then
Q1else
Q2end;
R
P
Q2
R
Q1
Partitioning Example
Parallel Constructs
• Avoid cartesian product
– {P1, P2} {Q1, Q2}
• Use signal information
||
P1 Q1
P2 Q2
Parallel and signals||
P1 Q1
R1
P2
Q2
Q3 R2
S1
S2
• Only increasing
Avoid the cross product
• Can be not satisfying on loops– …but on rare cases
Parallel and signals
Loops
PQ
pause
pause
loop end||
abort
when S
present T then
else
end
;
Control Flow Graph construction
|| pausepausepause pause;
Symbolic methods
• Boolean functions
• Sets (in a finite universe)
• Partitioned Transition Relations
Binary Decision Diagrams (BDDs) allow to represent :
Cofactoring
Given a domain D, reduce the BDD of a function f :f↑D(x) = f(x) if x belongs to D
• Cofactoring is used 2 ways
– Reduce the domain according to our frontiers
– Transition function applied on new states
Experiments
• A medium-sized design : sequencer
• A big design : cabin
BDD sizes in “sequencer”
A big design : “cabin”
Default method Partitioning
534 states 135 441 875 states
3 steps (11.85s) 123 steps (35h40)
Conclusion
Program verification following program syntax
• Preemptions, if-then-else
• Signals in parallels
Smaller intermediate BDDs
• Lighter transition functions
• Lighter image computations
Less memory required
The End
Motivation
• Model-checking
• Code optimization
• Test sequence generation
• …
Reachable State Space (RSS)
R ← INITnew ← Rwhile ( new ≠ ø ) do new ← Image(new) \ R R ← R U newend while
Reachable State Space (RSS)
• Breadth First Search algorithm
• Symbolic methods (BDDs)
Introduction
• Esterel
• Synchronous reactive structural
programming– sequence, if-then-else
– Parallelism, preemption
• Circuit translation (model-checking level)
Partitioning - detail