116 MODEL CHECKING OF FINITE-STATE SYSTEMS
readgraph(e,&numstates);
readlabel(flabel);
readf(formula,&flength,&s);
buildnfsf(formula,flength,nf,sf);
for (fi=flength; fi >= 1; fi--)
labelgraph(fi,s,&correct);
printoutput();
}
/*modelchecker*/
4.6 SYMBOLIC MODEL CHECKING
The CES model checker and other early model checkers are explicit-state model checkers. They represent a finite state graph using adjacency lists and explicitly list all states in the graph. Since many models have an exponential number of states, explicit-state model checkers suffer from the state explosion problem and are not practical for the verification of many realistic systems. To alleviate this problem, this section introduces symbolic model checking [Burch et al., 1990a], which represents states and transitions as Boolean formulas to reduce redundancy in the graph. These Boolean formulas are then represented by even more compact binary decision diagrams [Lee, 1959; Akers, 1978], which can then be manipulated by very efficient algorithms [Bryant, 1986]. As a result, symbol model checking makes it practical to verify much larger systems than those analyzable by explicit-state model checking.
4.6.1 Binary Decision Diagrams
Binary decision diagrams (BDDs) are concise graphical representations of Boolean logic formulas. Boolean logic formulas can be represented by truth tables, Karnaugh maps, or canonical sum-of-products form but these representations contain redundant information in different places, leading to an exponential number of entries or states.
As a first attempt to reduce this redundancy, we represent a Boolean formula by a binary decision tree. Nodes represent variables and the two outdoing edges of each node indicate that the values of the variable are false (0) or true (1), respectively. The leaves are labeled with 0 or 1 corresponding to the truth value of the formula given an assignment of values to the variables.
By traversing a given tree (corresponding to a formula) from the root to a leaf, the value of the formula can be determined given an assignment of values to the variables. Starting from the root labeled with a variable, if the value assigned is 0, we follow the edge labeled with 0 to another node. If the value assigned is 1, we follow the edge labeled with 1 to another node. If the next node is a leaf, then its label is the truth value of the formula. Otherwise, we repeat this step from this node until a leaf is reached.
Note that the binary decision tree has many identical subtrees. By removing subtrees with redundant information, BDDs can be derived. The resulting structure is a directed acyclic graph where each node (except the leaves) has at most two incoming edges and at most two outgoing edges. Leaf nodes may have more than
SYMBOLIC MODEL CHECKING |
117 |
two incoming edges. The nodes in a BDD are also traversed in sequence from the root to a leaf, but the BDD enforces a total ordering of the variables in the sequence. Therefore, BDDs are also called ordered BDDs to emphasize this ordering feature. Bryant [Bryant, 1986] added further restrictions on variable ordering in BDDs to allow for efficient manipulation algorithms. We now formally define Bryant’s ordered BDDs.
Ordered Binary Decision Diagrams: A Boolean formula can be represented by a function graph (ordered BDD), which is a rooted, directed, acyclic graph with two types of vertices. A nonterminal vertex v has an index(v) from the set {1, . . . , n} and two children low(v) and high(v). A terminal vertex (leaf) has a value(v) of 0 or 1. If low(v) is a nonterminal vertex, then index(v) < index(low(v)). Similarly, if high(v) is a nonterminal vertex, then index(v) < index(high(v)).
Example. The formula ( p q) (r s) (t u) is represented by the BDD in Figure 4.2. The acyclic directed graph clearly imposes a total ordering of the variables in the sequence from the root to a leaf: index( p) < index(q) < index(r) < index(s) < index(t) < index(u), or more informally, p < q < r < s < t < u.
Example. The formula ( p q) (r s) (t u) is represented by the BDD in Figure 4.3. Again, the acyclic directed graph imposes a total ordering of the variables in the sequence from the root to a leaf: index( p) < index(q) < index(r) < index(s) < index(t) < index(u), or more informally, p < q < r < s < t < u.
Besides being much more compact than other representations, ordered BDDs are canonical representations of Boolean formulas. This property means that each Boolean formula with a specific variable ordering has a unique and minimal BDD rep-
p
|
|
|
|
|
|
1 |
(p^ q)v (r^ s) v (t ^ u) |
|
|
|
0 |
|
|
|
|
|
|
|
|
|
|
q |
|
|
|
|
|
0 |
|
|
|
|
|
|
|
|
|
|
|
|
|
r |
|
1 |
|
|
|
|
|
|
|
|
|
|
|
|
0 |
|
|
|
s |
|
1 |
|
|
0 |
|
|
|
||
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
t |
|
1 |
|
|
|
|
1 |
|
|
|
|
|
|
|
|
0 |
|
u |
|
|
|
|
|
0 |
|
|
|
|
|
1 |
|
|
|
|
|
|
|
0
1
Figure 4.2 BDD for formula ( p q) (r s) (t u).
118 MODEL CHECKING OF FINITE-STATE SYSTEMS
p
0
q
1 (p
1
r
|
|
0 |
0 |
s |
1 |
|
||
|
|
|
|
0 |
|
0
u
0
0
^
1
q) ^ (r
t
1
^
s) ^ (t
1
1
^
u)
Figure 4.3 BDD for formula ( p q) (r s) (t u).
resentation. (In fact, BDDs can be viewed as deterministic finite automata (DFA) discussed in chapter 2.) Therefore, we can check that two Boolean formulas are equivalent by checking if they have isomorphic representations, that is, their BDDs exactly match in both structure and attributes. Also, determining the satisfiability of a formula only requires comparing its BDD with that of the constant function false(0).
From now on, when we say BDDs, we refer to minimal BDDs. The size of a BDD is very dependent on the selected variable ordering, and is exponential in the number of variables in the worst case. However, for many practical Boolean formulas, a good variable ordering exists (often determined by a human domain expert) that yields BDDs whose size is linear. Note that determining an optimal variable ordering is itself a nondeterministic polynomial-time decidable (NP)-complete problem. We now formally define isomorphic BDDs.
Isomorphic BDDs: Given two ordered BDDs (function graphs) G1 with vertex set V1 and G2 with vertex set V2. G1 and G2 are isomorphic if a one-to-one function h from V1 to V2 exists such that for any vertex v1 V1 satisfying h(v1) = v2( V2), either (1) v1 and v2 are terminal vertices and value(v1) = value(v2) or (2) v1 and v2 are nonterminal vertices with index(v1) = index(v2), h(low(v1)) = low(v2), and h(high(v)) = high(v2).
Given the BDDs corresponding to Boolean formulas f and g, [Bryant, 1986] presents efficient algorithms for computing the BDDs of ¬ f , f g, and the restriction of f with a variable x set to 0 or 1.
The model checking algorithm also requires two other operations: quantification over Boolean variables (QBF) and substitution of variable names. Algorithms for these operations are not presented in [Bryant, 1986]. However, we can use the restriction algorithm to derive the BDD of a QBF formula. First, we describe the restriction notation.
SYMBOLIC MODEL CHECKING |
119 |
Algorithm Restrict:
Input: BDD representing Boolean formula f , variable x, value b (either 0 or 1). Output: BDD with the above restriction.
while (not visited(v)) do if v = x then
if b = 0
then change pointer to v to point to low(v) else change pointer to v to point to high(v)
reduce BDD and assign unique identifiers to the vertices End Restrict
Figure 4.4 Algorithm restrict.
Restriction: The notation f |x=0 means the restriction of Boolean formula f with variable x set to 0. Similarly, the notation f |x=1 means the restriction of Boolean formula f with variable x set to 1.
The restriction algorithm (Figure 4.4) converts the BDD of a Boolean function f into one representing f for a specific variable set to a specific value.
The quantification algorithms are based on the following definitions.
Existentially Quantified Boolean Formula: Given a Boolean formula f and a Boolean variable x, x[ f ] = f |x=0 f |x=1.
Universally Quantified Boolean Formula: Given a Boolean formula f and a Boolean variable x, x[ f ] = ¬ x[¬ f ].
For quantification of more than one variable, the following notations are used.
General Quantified Boolean Formula: Given a vector of Boolean variables x =x1, . . . , xn , the notation Qx[ f ], where Q is either or , denotes Qx1[. . . Qxn [ f ]
. . .].
Now the substitution of variable names can be done using the quantification algorithm above.
Substitution of Variable Names: The substitution of a variable x by a variable y in
a formula f , assuming that the variable y is not free in f is f x ← y = x[(x ↔ y) f ].
Since the symbolic model checker very frequently executes these operations, more efficient algorithms are used in the implemented verification tool [Burch et al., 1990a].