Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
Advanced Unbounded CTL Model Checking Basedon AIGs, BDD Sweeping, And Quantifier
Scheduling
Florian Pigorsch, Christoph Scholl, Stefan Disch
Albert-Ludwigs-Universitat Freiburg, Institut fur Informatik
FMCAD 2006
1 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Outline
1 Motivation
2 And-Inverter Graphs
3 FRAIGs
4 Quantifier Scheduling
5 BDD Sweeping
6 Experimental ResultsOur Model CheckerFunctional Reduction, Node Selection HeuristicsBDD-Sweeping and Quantifier SchedulingComparison with BDD based model checkers
7 Conclusions
2 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Motivation
Why another data structure for model checking?
BDD based model checking fails on certain problems
e.g. blow-up when representing combinational multipliers...
And-Inverter Graphs have been successfully used in:
Combinational Equivalence Checking (e.g. Mishchenko, Kuehlmann)Bounded Model Checking (e.g. Kuehlmann)Technology mappingVarious other verification/synthesis applications
Use And-Inverter Graphs as the underlying data structure for unboundedsymbolic CTL model checking
3 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Motivation
Why another data structure for model checking?
BDD based model checking fails on certain problems
e.g. blow-up when representing combinational multipliers...
And-Inverter Graphs have been successfully used in:
Combinational Equivalence Checking (e.g. Mishchenko, Kuehlmann)Bounded Model Checking (e.g. Kuehlmann)Technology mappingVarious other verification/synthesis applications
Use And-Inverter Graphs as the underlying data structure for unboundedsymbolic CTL model checking
3 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
And-Inverter Graphs
And-Inverter Graphs
And-Inverter Graphs
x y z
f = x · (y + z)
node ≈ and gate
inverted edge ≈ inverter
variables ≈ inputs
Networks of 2-input and gates and inverters
Simple data structure
Every Boolean function can be represented by an AIG
But: possibly redundant and non-canonical (in contrast to BDDs)
5 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
And-Inverter Graphs
And-Inverter Graphs
x y z
f = x · (y + z)
node ≈ and gate
inverted edge ≈ inverter
variables ≈ inputs
Networks of 2-input and gates and inverters
Simple data structure
Every Boolean function can be represented by an AIG
But: possibly redundant and non-canonical (in contrast to BDDs)
y x z
f = y · x + x · z
5 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
And-Inverter Graphs
Operations
AND by adding a new and node, NOT by adding an inverted edge
Cofactor by propagating constants
Substitution of variables
Quantification by cofactoring (∃x .f ≡ f |x=0 + f |x=1) (possiblyexpensive)
Equivalence check of two nodes? ⇒ SAT
f g
f · gh¬h
6 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
And-Inverter Graphs
Operations
AND by adding a new and node, NOT by adding an inverted edge
Cofactor by propagating constants
Substitution of variables
Quantification by cofactoring (∃x .f ≡ f |x=0 + f |x=1) (possiblyexpensive)
Equivalence check of two nodes? ⇒ SAT
ff |x=c
x = cx
6 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
And-Inverter Graphs
Operations
AND by adding a new and node, NOT by adding an inverted edge
Cofactor by propagating constants
Substitution of variables
Quantification by cofactoring (∃x .f ≡ f |x=0 + f |x=1) (possiblyexpensive)
Equivalence check of two nodes? ⇒ SAT
f f |x=g
x = gx
g
6 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
And-Inverter Graphs
Operations
AND by adding a new and node, NOT by adding an inverted edgeCofactor by propagating constantsSubstitution of variablesQuantification by cofactoring (∃x .f ≡ f |x=0 + f |x=1) (possiblyexpensive)
Equivalence check of two nodes? ⇒ SAT
x x = 0 x = 1
f
∃x.f
f |x=0 f |x=1
6 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
And-Inverter Graphs
Operations
AND by adding a new and node, NOT by adding an inverted edge
Cofactor by propagating constants
Substitution of variables
Quantification by cofactoring (∃x .f ≡ f |x=0 + f |x=1) (possiblyexpensive)
Equivalence check of two nodes? ⇒ SAT
1?
f g
6 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
And-Inverter Graphs
Are we ready for model checking?
We already have the needed operations for model checking:
Basic Boolean operators
Quantification
Substitution
Equivalence check for two nodes
But, plain AIGs are not enough:
Too many redundant nodes
Quantification will result in extremely large AIGs
We need to add some things to make model checking with AIGs feasible
7 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
And-Inverter Graphs
Are we ready for model checking?
We already have the needed operations for model checking:
Basic Boolean operators
Quantification
Substitution
Equivalence check for two nodes
But, plain AIGs are not enough:
Too many redundant nodes
Quantification will result in extremely large AIGs
We need to add some things to make model checking with AIGs feasible
7 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
And-Inverter Graphs
Are we ready for model checking?
We already have the needed operations for model checking:
Basic Boolean operators
Quantification
Substitution
Equivalence check for two nodes
But, plain AIGs are not enough:
Too many redundant nodes
Quantification will result in extremely large AIGs
We need to add some things to make model checking with AIGs feasible
7 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Functionally Reduced And-Inverter Graphs: FRAIGs
FRAIGs
FRAIGs
FRAIG (A. Mishchenko)
A functionally reduced AIG does not contain two nodes representing thesame Boolean function.
How to create FRAIGs?
When creating a new node...
Find possibly equivalent candidate nodes using simulation
Solve the equivalence checking problems of the new node andcandidate nodes with a SAT solver (MiniSAT)
When finding an equivalent candidate: delete one of the two nodes
Use the feedback from the solver to strengthen the simulation values
A FRAIG is reduced by removing (functionally) redundant nodes
9 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
FRAIGs
FRAIGs
FRAIG (A. Mishchenko)
A functionally reduced AIG does not contain two nodes representing thesame Boolean function.
How to create FRAIGs?When creating a new node...
Find possibly equivalent candidate nodes using simulation
Solve the equivalence checking problems of the new node andcandidate nodes with a SAT solver (MiniSAT)
When finding an equivalent candidate: delete one of the two nodes
Use the feedback from the solver to strengthen the simulation values
A FRAIG is reduced by removing (functionally) redundant nodes
9 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
FRAIGs
FRAIGs
FRAIG (A. Mishchenko)
A functionally reduced AIG does not contain two nodes representing thesame Boolean function.
How to create FRAIGs?When creating a new node...
Find possibly equivalent candidate nodes using simulation
Solve the equivalence checking problems of the new node andcandidate nodes with a SAT solver (MiniSAT)
When finding an equivalent candidate: delete one of the two nodes
Use the feedback from the solver to strengthen the simulation values
A FRAIG is reduced by removing (functionally) redundant nodes
9 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
FRAIGs
FRAIGs
FRAIG (A. Mishchenko)
A functionally reduced AIG does not contain two nodes representing thesame Boolean function.
How to create FRAIGs?When creating a new node...
Find possibly equivalent candidate nodes using simulation
Solve the equivalence checking problems of the new node andcandidate nodes with a SAT solver (MiniSAT)
When finding an equivalent candidate: delete one of the two nodes
Use the feedback from the solver to strengthen the simulation values
A FRAIG is reduced by removing (functionally) redundant nodes
9 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
FRAIGs
FRAIGs
FRAIG (A. Mishchenko)
A functionally reduced AIG does not contain two nodes representing thesame Boolean function.
How to create FRAIGs?When creating a new node...
Find possibly equivalent candidate nodes using simulation
Solve the equivalence checking problems of the new node andcandidate nodes with a SAT solver (MiniSAT)
When finding an equivalent candidate: delete one of the two nodes
Use the feedback from the solver to strengthen the simulation values
A FRAIG is reduced by removing (functionally) redundant nodes
9 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
FRAIGs
FRAIGs
FRAIG (A. Mishchenko)
A functionally reduced AIG does not contain two nodes representing thesame Boolean function.
How to create FRAIGs?When creating a new node...
Find possibly equivalent candidate nodes using simulation
Solve the equivalence checking problems of the new node andcandidate nodes with a SAT solver (MiniSAT)
When finding an equivalent candidate: delete one of the two nodes
Use the feedback from the solver to strengthen the simulation values
A FRAIG is reduced by removing (functionally) redundant nodes
9 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
FRAIGs
FRAIGs
FRAIG (A. Mishchenko)
A functionally reduced AIG does not contain two nodes representing thesame Boolean function.
How to create FRAIGs?When creating a new node...
Find possibly equivalent candidate nodes using simulation
Solve the equivalence checking problems of the new node andcandidate nodes with a SAT solver (MiniSAT)
When finding an equivalent candidate: delete one of the two nodes
Use the feedback from the solver to strengthen the simulation values
A FRAIG is reduced by removing (functionally) redundant nodes
9 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
FRAIGs
How to handle pairs of equivalent nodes?
When we detect a pair of functionally equivalent nodes during FRAIGconstruction, we have to delete one of the two nodes.
Two different simple node selection heuristics:
hkeep: keep the old, existing node and delete the new node
hsize : keep the node with the smaller cone size, delete the other node
10 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
FRAIGs
How to handle pairs of equivalent nodes?
When we detect a pair of functionally equivalent nodes during FRAIGconstruction, we have to delete one of the two nodes.Two different simple node selection heuristics:
hkeep: keep the old, existing node and delete the new node
hsize : keep the node with the smaller cone size, delete the other node
10 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Speeding up Quantification
Quantifier Scheduling
Quantifier Scheduling: A Motivating Example
n-bit Carry-Ripple-Adder ( ~s = ~x + ~y )Formula ∃~x .sn · sn−1
quantification order UP: quantify x0 first, then x1, . . .
quantification order DOWN: quantify xn−1 first, then xn−2, . . .
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
0
2500
5000
7500
10000
12500
15000
17500
20000
22500
25000
27500
30000
32500
35000
UP
DOWN
quantifications
nodes
⇒ Quantification order is crucial!
12 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Quantifier Scheduling
Quantifier Scheduling: A Motivating Example
n-bit Carry-Ripple-Adder ( ~s = ~x + ~y )Formula ∃~x .sn · sn−1
quantification order UP: quantify x0 first, then x1, . . .
quantification order DOWN: quantify xn−1 first, then xn−2, . . .
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
0
2500
5000
7500
10000
12500
15000
17500
20000
22500
25000
27500
30000
32500
35000
UP
DOWN
quantifications
nodes
⇒ Quantification order is crucial!
12 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Quantifier Scheduling
Quantifier Scheduling: A Motivating Example
n-bit Carry-Ripple-Adder ( ~s = ~x + ~y )Formula ∃~x .sn · sn−1
quantification order UP: quantify x0 first, then x1, . . .
quantification order DOWN: quantify xn−1 first, then xn−2, . . .
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
0
2500
5000
7500
10000
12500
15000
17500
20000
22500
25000
27500
30000
32500
35000
UP
DOWN
quantifications
nodes
⇒ Quantification order is crucial!
12 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Quantifier Scheduling
Quantifier Scheduling: A Motivating Example
n-bit Carry-Ripple-Adder ( ~s = ~x + ~y )Formula ∃~x .sn · sn−1
quantification order UP: quantify x0 first, then x1, . . .
quantification order DOWN: quantify xn−1 first, then xn−2, . . .
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
0
2500
5000
7500
10000
12500
15000
17500
20000
22500
25000
27500
30000
32500
35000
UP
DOWN
quantifications
nodes
⇒ Quantification order is crucial!
12 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Quantifier Scheduling
Multiple Quantifications
One quantification operation may double the AIG’s sizex x = 0 x = 1
f
∃x.f
f |x=0 f |x=1
A series of quantifications may lead to an exponential blow-up
How to avoid the blow-up?
Find a good quantification schedule!
13 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Quantifier Scheduling
Multiple Quantifications
One quantification operation may double the AIG’s sizex x = 0 x = 1
f
∃x.f
f |x=0 f |x=1
A series of quantifications may lead to an exponential blow-up
How to avoid the blow-up?
Find a good quantification schedule!
13 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Quantifier Scheduling
Multiple Quantifications
One quantification operation may double the AIG’s sizex x = 0 x = 1
f
∃x.f
f |x=0 f |x=1
A series of quantifications may lead to an exponential blow-up
How to avoid the blow-up?
Find a good quantification schedule!
13 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Quantifier Scheduling
Multiple Quantifications
One quantification operation may double the AIG’s sizex x = 0 x = 1
f
∃x.f
f |x=0 f |x=1
A series of quantifications may lead to an exponential blow-up
How to avoid the blow-up?
Find a good quantification schedule!
13 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Quantifier Scheduling
A greedy algorithm for quantifier scheduling
Greedy quantification
greedy quantify( f, vars )res ← f;while vars 6= ∅
bestvar ← NULL; bestsize ←∞;for all v ∈ vars
if expected size( res, v ) < bestsizebestsize ← expected size( res, v ); bestvar ← v;
res ← quantify( res, bestvar );vars ← vars \{ bestvar };
return res;
14 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Quantifier Scheduling
Expected quantification result size?
How to compute the expected size of the quantification result?
One could actually perform quantifications by all variables to get theexact sizes. Too expensive!
Estimate the resulting size of one quantification step by simulatingthe two constant propagations:
15 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Quantifier Scheduling
Expected quantification result size?
How to compute the expected size of the quantification result?
One could actually perform quantifications by all variables to get theexact sizes. Too expensive!
Estimate the resulting size of one quantification step by simulatingthe two constant propagations:
15 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Quantifier Scheduling
Expected quantification result size?
How to compute the expected size of the quantification result?
One could actually perform quantifications by all variables to get theexact sizes. Too expensive!
Estimate the resulting size of one quantification step by simulatingthe two constant propagations:
15 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Quantifier Scheduling
Expected quantification result size?
How to compute the expected size of the quantification result?
One could actually perform quantifications by all variables to get theexact sizes. Too expensive!
Estimate the resulting size of one quantification step by simulatingthe two constant propagations:
x = c not dep. on x
dep. on x
dep. on xremoved
recreated
f
15 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Quantifier Scheduling
Expected quantification result size?
How to compute the expected size of the quantification result?
One could actually perform quantifications by all variables to get theexact sizes. Too expensive!
Estimate the resulting size of one quantification step by simulatingthe two constant propagations:
x = 0 x = 1
∃x.f
f |x=0 f |x=1
15 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Combining AIGs and BDDs: BDD Sweeping
BDD Sweeping
BDD Sweeping: Combining advantages of AIG and BDDrepresentations
“Classical” notion of BDD sweeping by A. Kuehlmann: Detection offunctionally equivalent AIG nodes by BDD construction
Our functionally reduced AIGs don’t contain such nodes (achievedby SAT)!
But: BDD representations of Boolean functions in model checkingare not always large...
Therefore: Use “good” BDD representations to restructure AIGs!
17 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
BDD Sweeping
BDD Sweeping: Combining advantages of AIG and BDDrepresentations
“Classical” notion of BDD sweeping by A. Kuehlmann: Detection offunctionally equivalent AIG nodes by BDD construction
Our functionally reduced AIGs don’t contain such nodes (achievedby SAT)!
But: BDD representations of Boolean functions in model checkingare not always large...
Therefore: Use “good” BDD representations to restructure AIGs!
17 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
BDD Sweeping
BDD Sweeping: Combining advantages of AIG and BDDrepresentations
“Classical” notion of BDD sweeping by A. Kuehlmann: Detection offunctionally equivalent AIG nodes by BDD construction
Our functionally reduced AIGs don’t contain such nodes (achievedby SAT)!
But: BDD representations of Boolean functions in model checkingare not always large...
Therefore: Use “good” BDD representations to restructure AIGs!
17 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
BDD Sweeping
BDD Sweeping: Combining advantages of AIG and BDDrepresentations
“Classical” notion of BDD sweeping by A. Kuehlmann: Detection offunctionally equivalent AIG nodes by BDD construction
Our functionally reduced AIGs don’t contain such nodes (achievedby SAT)!
But: BDD representations of Boolean functions in model checkingare not always large...
Therefore: Use “good” BDD representations to restructure AIGs!
17 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
BDD Sweeping
BDD Sweeping Algorithm
AIG cone aBDD b AIG a′CUDD
3 · |b| < |a|
blow-up3 · |b| ≥ |a|
Failure
b ≡ a a′ ≡ a, |a′| < |a|
too big
good BDD
MUX0 1
low high
xx
low high
xlow high
18 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
BDD Sweeping
Application of BDD Sweeping
We apply BDD sweeping to the results of quantifications
We limit the number of created BDD nodes to avoid a blow-up
Heuristics ensure that BDD-sweeping is used less frequently if theBDD node limit was reached in the past
19 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Experimental Results
Experimental Results Our Model Checker
Our AIG based Model Checker
We use a standard CTL model checking algorithm based on fix pointiteration
The transition function and the characteristic functions of state setsare represented by AIGs
Alternatives for pre-image computation:
transition relation based:
χSat(EX φ)(~q, ~x) := ∃~q′∃~x ′(χR(~q, ~x , ~q′) · (χSat(φ)|~q←~q′,~x←~x′)(~q′, ~x ′))
transition function based:
χ′Sat(EX φ)(~q, ~x) := ∃~x ′(χSat(φ)|~q←~δ(~q,~x),~x←~x′)(~q, ~x ′))
21 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Experimental Results Functional Reduction, Node Selection Heuristics
Impact of Functional Reduction and Node SelectionHeuristics
No BDD sweeping, no quantifier schedulingam
29
10
.1
am
29
10
.2
am
29
10
.3
am
29
10
.4
am
29
10
.5
am
29
10
.6
barr
el 1
0.4
coh
ere
nce
.1
coh
ere
nce
.2
coh
ere
nce
.3
coh
ere
nce
.4
coh
ere
nce
.5
coh
ere
nce
.6
coh
ere
nce
.7
coh
ere
nce
.8
coh
ere
nce
.9
daio
.1
daio
.2
daio
.3
daio
.4
deca
y.1
6
deca
y.3
2
deca
y.4
8
deca
y.6
4
palu
.12
.4
palu
.14
.4
palu
.16
.4
pic
oja
va/icc
tl
pic
oja
va/b
iu
vip
er.
1
vip
er.
2
vip
er.
3
0
200
400
600
800
1000
1200
1400
1600
1800
2000
2200
2400
2600
2800
3000
3200
3400
3600
plain AIGs
FRAIGs, keep heur.
FRAIGs, size heur.
benchmark
run
tim
e
22 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Experimental Results BDD-Sweeping and Quantifier Scheduling
Impact of BDD Sweeping and Quantifier Scheduling
am
29
10
.1
am
29
10
.2
am
29
10
.3
am
29
10
.4
am
29
10
.5
am
29
10
.6
barr
el 1
0.4
coh
ere
nce
.1
coh
ere
nce
.2
coh
ere
nce
.3
coh
ere
nce
.4
coh
ere
nce
.5
coh
ere
nce
.6
coh
ere
nce
.7
coh
ere
nce
.8
coh
ere
nce
.9
daio
.1
daio
.2
daio
.3
daio
.4
deca
y.1
6
deca
y.3
2
deca
y.4
8
deca
y.6
4
palu
.12
.4
palu
.14
.4
palu
.16
.4
pic
oja
va/icc
tl
pic
oja
va/b
iu
vip
er.
1
vip
er.
2
vip
er.
3
0
200
400
600
800
1000
1200
1400
1600
1800
2000
2200
2400
2600
2800
3000
3200
3400
3600
FRAIGs, size heur.
FRAIGs. BDD-Sweep.
FRAIGs, BDD-Sweep., Quant. Sched.
benchmark
run
tim
e
23 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Experimental Results Comparison with BDD based model checkers
Comparison with BDD based model checkers
VIS: VIS 2.1, sifting, no reachability analysisBDDMC: our model checker with AIGs replaced by BDDs
am
29
10
.1
am
29
10
.2
am
29
10
.3
am
29
10
.4
am
29
10
.5
am
29
10
.6
barr
el 1
0.4
coh
ere
nce
.1
coh
ere
nce
.2
coh
ere
nce
.3
coh
ere
nce
.4
coh
ere
nce
.5
coh
ere
nce
.6
coh
ere
nce
.7
coh
ere
nce
.8
coh
ere
nce
.9
daio
.1
daio
.2
daio
.3
daio
.4
deca
y.1
6
deca
y.3
2
deca
y.4
8
deca
y.6
4
palu
.12
.4
palu
.14
.4
palu
.16
.4
pic
oja
va/icc
tl
pic
oja
va/b
iu
vip
er.
1
vip
er.
2
vip
er.
3
0
200
400
600
800
1000
1200
1400
1600
1800
2000
2200
2400
2600
2800
3000
3200
3400
3600
FRAIGs, BDD-Sweep., Quant. Sched.BDDMC
VIS 2.1
benchmark
run
tim
e
24 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Conclusions
Summary
Successful unbounded CTL model checking based on And-InverterGraphs (up to 2000 quantifications)
Made possible by using
Functionally Reduced And-Inverter GraphsSimple node selection heuristicsBDD sweepingand Quantifier Scheduling
Outperforms BDD based MCs on various benchmarks...
and has comparable runtimes on most other benchmarks
25 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Conclusions
Summary
Successful unbounded CTL model checking based on And-InverterGraphs (up to 2000 quantifications)
Made possible by using
Functionally Reduced And-Inverter GraphsSimple node selection heuristicsBDD sweepingand Quantifier Scheduling
Outperforms BDD based MCs on various benchmarks...
and has comparable runtimes on most other benchmarks
25 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Conclusions
Summary
Successful unbounded CTL model checking based on And-InverterGraphs (up to 2000 quantifications)
Made possible by using
Functionally Reduced And-Inverter GraphsSimple node selection heuristicsBDD sweepingand Quantifier Scheduling
Outperforms BDD based MCs on various benchmarks...
and has comparable runtimes on most other benchmarks
25 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Conclusions
Future and Related Work
Optimize heuristics (node selection, application of BDD sweeping)
Lazier AIG compression instead of complete functional reduction
Time limited SAT to skip hard SAT instances
Evaluate recent AIG rewriting techniques
Try structural SAT instead of CNF based SAT
At ATVA06 we presented a hybrid model checker based on AIGs andlinear constraints over the reals
26 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Conclusions
Future and Related Work
Optimize heuristics (node selection, application of BDD sweeping)
Lazier AIG compression instead of complete functional reduction
Time limited SAT to skip hard SAT instances
Evaluate recent AIG rewriting techniques
Try structural SAT instead of CNF based SAT
At ATVA06 we presented a hybrid model checker based on AIGs andlinear constraints over the reals
26 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling
Thank you for your attention!