Syntax-driven partitioning for model-checking of Esterel

programs

Eric Vecchié - INRIA Aoste

Motivation

• Build the Reachable State Space…

• …following the syntaxabort P when S;Q

• Reachable State Space allows– Model-checking– Code optimization– Test sequence generation– …

R ← INITnew ← Rwhile ( new ≠ ø ) do new ← Image(new) \ R R ← R U newend while

Reachable State Space

• Breadth First Search algorithm

• Symbolic methods (BDDs)

What is done

Size of Computations

Solution : Rely on program structural syntax

BDDsize

states reached

non-saturatedstates set

What we do

Example : Wristwatch

display

watch

time_setalarm_set

stopwatch

Example : Wristwatch

Example : Wristwatch

How to partition ?

• According to program blocks

– Separated by frontiers– Synthesized from signal receptions

• Build a control flow graph

– Encoding frontiers– Guiding the RSS computation

Preemption / if-then-else

P

Q

P1 P2

Q

S

S

abort

Pwhen S;present T then

Q1else

Q2end;

R

P

Q2

R

Q1

Partitioning Example

Parallel Constructs

• Avoid cartesian product

– {P1, P2} {Q1, Q2}

• Use signal information

||

P1 Q1

P2 Q2

Parallel and signals||

P1 Q1

R1

P2

Q2

Q3 R2

S1

S2

• Only increasing

Avoid the cross product

• Can be not satisfying on loops– …but on rare cases

Parallel and signals

Loops

PQ

pause

pause

loop end||

abort

when S

present T then

else

end

;

Control Flow Graph construction

|| pausepausepause pause;

Symbolic methods

• Boolean functions

• Sets (in a finite universe)

• Partitioned Transition Relations

Binary Decision Diagrams (BDDs) allow to represent :

Cofactoring

Given a domain D, reduce the BDD of a function f :f↑D(x) = f(x) if x belongs to D

• Cofactoring is used 2 ways

– Reduce the domain according to our frontiers

– Transition function applied on new states

Experiments

• A medium-sized design : sequencer

• A big design : cabin

BDD sizes in “sequencer”

A big design : “cabin”

Default method Partitioning

534 states 135 441 875 states

3 steps (11.85s) 123 steps (35h40)

Conclusion

Program verification following program syntax

• Preemptions, if-then-else

• Signals in parallels

Smaller intermediate BDDs

• Lighter transition functions

• Lighter image computations

Less memory required

The End

Motivation

• Model-checking

• Code optimization

• Test sequence generation

• …

Reachable State Space (RSS)

R ← INITnew ← Rwhile ( new ≠ ø ) do new ← Image(new) \ R R ← R U newend while

Reachable State Space (RSS)

• Breadth First Search algorithm

• Symbolic methods (BDDs)

Introduction

• Esterel

• Synchronous reactive structural

programming– sequence, if-then-else

– Parallelism, preemption

• Circuit translation (model-checking level)

Partitioning - detail