Lazy Decision Diagrams for Word-Level ModelManipulation in Software Verification

Farn Wang

Dept. of Electrical Engineering & Graduate Institute of Electronic EngineeringNational Taiwan University

farn@cc.ee.ntu.edu.tw; http://cc.ee.ntu.edu.tw/˜farn

REDLIB is available at http://sites.google.com/site/redlibtw/.

Abstract—Word-levelWord-level predicates involve high-leveldescriptions of integer variables and can be complex to representand manipulate with traditional decision diagrams like BDDs(binary decision diagrams) and MDDs (multiple-valued decisiondiagrams). We propose a new type of decision diagram nodes,called LD-nodes (lazy decision nodes), for word-level inequalitiesthat allow for lazy evaluation. Such nodes can be incorporated inBDDs, MDDs, and CRDs (clock-restriction diagrams). We presentalgorithms for operations on diagrams with LDD nodes. We thenreport our experiment of our technology with several benchmarks.A library implementing the approach is available at SourceForgewebpage for project REDLIB.Keywords: decision diagram, BDD, verification, model-checking, simulation

I. INTRODUCTION

Word-level descriptions are very often used in high-level de-scription of system behaviors. In contrast, traditional decisiondiagrams are usually constructed for all value combinationsthat satisfy a word-level description. The discrepancy mayresult in highly complex decision diagrams. For example, wemay have two variables x, y in the range of [1, 10]. Thenthe word-level description of x ∗ y < 10 results in an MDD(multiple-valued deicsion disgram) [3], [5] in figure 1(a). Ascan be seen, the sizes of the decision diagrams can growexponentially to the input size of the descriptions. It is well-known that multiplcation may incur exponential representationsizes to input size [1]. In practice, such word-level constraintsare indispensible in the high-level description of transition re-lation and rules of systems under verification. In this work, wepropose a new type of nodes, called lazy decision nodes (LD-nodes), in traditional decision diagrams for such word-levelinequalities. LD-nodes can also be introduced in BDD, ZDD[4], CRD [6], HRD [7], etc. For convenience, we call decisiondiagrams with LD-nodes lazy decision diagrams (LDD). Forexample, such an LDD is presented in figure 1(b) that involvespredicate x ∗ y < 10. The constraints of those LD-nodes arenot evaluated to avoid the representation and manipulationcomplexity. When users decide that there is enough contextinformation on the specific values of data variables, they mayinvoke delayed evaluation of LDDs to avoid the explorationof those data values that do not appear in the context. Thediagram in figure 1(c) shows the delayed evaluation of theone in figure 1(b) in the context of x ∈ [4, 5] and y ∈ [1, 3].

Although the range of x and y are both [1, 10], the delayedevaluation uses the values that actually occur in figure 1(b) toprune the data space to explore.

We have the following presentation plan. Section II dis-cusses related work. Section III defines LDDs. Section IVpresents our delayed evaluation algorithm for LDDs. Section Vreports our experiments with LDDs. Section VI is the conclu-sion.

II. RELATED WORK

BMD (Binary Moment Diagram) [2] was one of the earlyresult in word-level verification. CDD, CRD [6], and HRD[7] can be viewed as word-level decision diagrams for densespaces with specialized manipulation algorithms. The majordifference of our work from the previous ones is that LDDsare used as temporary representations with lazy evaluations.Eventually, constraints of LD-nodes are to be solved whenusers feel that enough context information can be collected toavoid the representation and manipulation complexity.

III. LAZY DECISION DIAGRAMS

In the following, we define MDDs with LD-nodes with inte-ger variables of finite interval ranges. Given a set X of integervariables, for each x ∈ X , we denote the range of x as Rx. Anarithmetic expression ε of X is inductively defined with thefollowing rule: ε ::= c | x | ε1 + ε2 | ε1 − ε2 | ε1 ∗ ε2 | ε1/ε2.Here c is a nonnegative integer constant and x ∈ X . Anarithmetic inequality η of X is in one of the following sixforms.

η ::= ε1 < ε2 | ε1 ≤ ε2 | ε1 = ε2 | ε1 �= ε2 | ε1 ≥ ε2 | ε1 > ε2

We let AX denote the set of arithmetic expressions andinequalities of X . An arithmetic inequality ε1 ∼ ε2 is callednormalized with respect to ≺ if ε1 ≺ ε2 and ∼∈ {<,≤, =}.To reduce the complexity incurred by different inequalities forone constraint, we require that all inequalities used in LDDsare normalized.

An interval θ precedes another θ′ if for every i ∈ θ andi′ ∈ θ′, i < i′.

Definition 1: LDD with MDD Given a set of integervariables X and a total ordering ≺ of X , an LDD D is oneof the following inductive structures.

2010 Fourth International Symposium on Theoretical Aspects of Software Engineering

978-0-7695-4148-8/10 $26.00 © 2010 IEEE

DOI 10.1109/TASE.2010.31

183

2010 Fourth International Symposium on Theoretical Aspects of Software Engineering

978-0-7695-4148-8/10 $26.00 © 2010 IEEE

DOI 10.1109/TASE.2010.31

183

2010 Fourth International Symposium on Theoretical Aspects of Software Engineering

978-0-7695-4148-8/10 $26.00 © 2010 IEEE

DOI 10.1109/TASE.2010.31

183

xx

true true

y

x ∗ y < 10

y y

x

true

[1, 10]

(b) (c)

[5, 5]

(a)

[1, 10]

true

[4, 4]

[1, 1][1, 2]

y y y y y

[1, 1] [2, 2] [4, 4]

[1, 9][1, 4]

[1, 1]

[5, 9][3, 3]

[1, 3][1, 2]

Fig. 1. Decision diagrams with x ∗ y < 10

• true. In this case, we let root(D) def= true.• false. In this case, we let root(D) def= false.• A structure MD node(x, (θ1, D1), . . . , (θn, Dn)) withthe following restrictions.− x ∈ X . In this case, we let root(D) def= x.− For each 1 ≤ i ≤ n, θi is an interval of Rx and Di is

an LDD with x ≺ root(Di).− For each 1 ≤ i < n, θi precedes θi+1.• A structure LD node(η, Dfalse, Dtrue) where η is anarithmetic inequality of X and Dfalse, Dtrue are LDDs withη ≺ root(Dfalse) and η ≺ root(Dtrue). In this case, we letroot(D) def= η.

Reduced LDDs are those LDDs without redundancy in repre-sentation by treating those LDD nodes as regular MDD nodes.

�In our implementation, to reduce the complexity of delayed

evaluation, we require that for each arithmetic inequality ηand each variable x that appears in η, x ≺ η. This can behandy in using the lower-bounds and upper-bounds derivedfrom the ancestors to an LDD node in the top-down traversalof an LDD for the delayed evaluation of the LDD node.

IV. ALGORITHM FOR DELAYED EVALUATION

Given a set X of variables, a (partial) function φ from Xto values in

⋃x∈X Rx, a variable y ∈ X , and a value c ∈ Ry ,

we let φ[y ← c] be a new function that is identical to φexcept φ[y ← c](y) = c. We also let ⊥ be the function that isundefined on everything.

Given an MDD C as the context constraint, we assumethere are two functions lbC and ubC that respectively returnthe lower-bounds and the upper-bounds recorded in C for allvariables. For each x ∈ X , they are defined as in table I. lbC()and ubC() can be constructed with a depth-first traversal ofall nodes in C. Due to page-limit, we do not include thedetails of the two procedures. Our delayed evaluation of anLDD D with a given context constraint MDD C can be foundin table II. Here, MDD and(), MDD or(), and MDD not()are respectively the AND, OR, and NOT Boolean operationson MDDs. MDD reduce() is the reduce operation to removeredundancy from its operand.

Given a guarded command like τ → x1 := ε1; . . . ; xn :=

εn;1 with word-level triggering constraint τ and word-levelexpressions ε1, . . . , εn, the post-condition of constraint Cthrough the command can be computed with the procedurein table III. Note that at statement 28 in table III, we estimatethat ε is a complex predicate and may incur MDD explosionand decide to represent it with an LDD.

Preconditions can also be computed in a similar way. Dueto page-limit, we do not elaborate on this. The post-conditionand precondition procedures in the above then constitute thebasic blocks for fixpoint calculation.

V. EXPERIMENTS

We have implemented the LDD technology with ourREDLIB project in SourceForge pages. Here we report ourexperiment of safety analysis with the following three bench-marks with word-level constraints. The transition relationsof the benchmarks involve complex constraints that couldnot be handled without the LDD technology in our previousimplementation.• A medical dispenser with six processes, a data array forsix drug containers, and a schedule for medical dispensingat every 30 minutes. There are 24 control locations and105 transition rules. With the LDD technology, our safetyanalyzer can detect a risk condition in 0.58 seconds with14.5MB memory.• A mobile phone with three processes and a data arrayfor five MP3 songs. The model also includes a calculatorand some games. There are 53 control locations and 539transition rules. With the LDD technology, our safetyanalyzer can detect a deadlock in 0.65 seconds with42.8MB memory.• Quicksort algorithm for 10 data elements. The modelalso describes the file operations between the operatingsystem and the algorithm. There are 14 control locationsand 53 transition rules. With the LDD technology, oursafety analyzer can detect a sorting failure in 3.37 secondswith 43.8MB memory.

For example, in the quicksort algorithm benchmark, we haveconstraints like i ≤ n ∧ list[i] ≤ key. Here n is the lengthof an array, i is an index to the array elements, list is thearray for the elements, and key is the value of the pivot

1For each 1 ≤ i ≤ n, we assume xi does not appear in εi.

184184184

A structure MD node(y, . . . , (θ,Di), . . .) Yes! No!in C with y ≺ x ≺ root(Di) ?lbC(x) min(Rx) min {min(θ1) |MD node(x, (θ1,D1), . . .) is a structure in C.}ubC(x) max(Rx) max {max(θn) |MD node(x, . . . , (θn,Dn)) is a structure in C.}

TABLE IDEFINITION OF PROCEDURES FOR LOWER-BOUNDS AND UPPER-BOUNDS RECORDED IN AN MDD FOR A VARIABLE x.

1: function MDD ldd_eval(LDD D,MDD C)2: Φ := ∅; E := C; � Φ for computation hash, E for global context constraint.3: Return(MDD_and(C, rec_eval(D))).4: end function5: function MDD rec_eval(LDD D)6: if D is either false or true then7: Return D.8: else if (D, S) ∈ Φ then9: Return S

10: else if D is MD node(x, (θ1,D1), . . . , (θn,Dn)) then11: Let S be MD node (x, (θ1,rec_eval(D1)), . . . , (θn, rec_eval(Dn)))12: else if D is LD node(η, Dfalse, Dtrue) then13: Let K = MDD_ineq(1,⊥, η, E).14: Let S be MDD and(MDD not(K), rec_eval(Dfalse)).15: Let S be MDD or(S,MDD and(K,rec_eval(Dtrue))).16: end if17: Let S := MDD reduce(S); Φ := Φ ∪ {(D, S)}.18: Return S.19: end function20: function MDD MDD_ineq(int i, function φ, expression η, MDD E)21: � The variables in η are x1, . . . , xn. lbE(xi) = hi and ubE(xi) = ki.22: if i > n then23: if η is true according to φ then24: Return true.25: else26: Return false.27: end if28: else29: Return MDD reduce(MD node(xi,30: ([hi, hi],MDD_ineq(i+ 1, φ[xi ← hi], η, E)),31: ([hi + 1, hi + 1],MDD_ineq(i+ 1, φ[xi ← hi + 1], η, E)),32: . . . . . . . . . . . . . . . . . . ,33: ([ki, ki],MDD_ineq(i+ 1, φ[xi ← ki], η, E))34: ) ).35: end if36: end function

TABLE IIALGORITHM FOR THE EVALUATION OF LDDS

element in a recursive call. Without the LDD technology, oursafety analyzer could not finish constructing the MDDs forcomponents of the transition relation for the benchmarks dueto space limit.

VI. CONCLUSION

As can be seen from the experiment, our LDD technologycould be promising in verifying complex systems with word-level constraints. As a short paper, we have omitted lemmas forthe properties of LDDs and the correctness of the procedures.It would be interesting to pursue in such line to allow us togain deeper knowledge of LDDs.

REFERENCES

[1] R. E. Bryant. Graph-based algorithms for boolean function manipulation.IEEE Transactions on Computer, C-35(8), 1986.

[2] R. E. Bryant and Y.-A. Chen. Verification of arithmetic circuits usingbinary moment diagrams. International Journal on Software Tools forTechnology Transfer (STTT), 3(2), 2001.

[3] D. Miller. Multiple-valued logic design tools, invited address. InProceedings of the 23rd International Symposium on Multiple-ValuedLogic, pages 2–11, 1993.

[4] S. Minato. Zero-suppressed bdds for set manipulation in combinatorialproblems. In Proceedings of DAC’93, pages 272–277, 1993.

[5] S. Minato. Graph-based representations of discrete function. In Proceed-ings of the IFIP Workshop on the Application of Reed-Muller Expansionin Circuit Design, pages 1–10, 1995.

[6] F. Wang. Efficient verification of timed automata with bdd-like data-structures. STTT (Software Tools for Technology Transfer), 6(1), 2004.

[7] F. Wang. Symbolic parametric safety analysis of linear hybrid systems

185185185

1: function LDD lazy_post(LDD C, transition rule τ → x1 := ε1; . . . ; xn := εn; )2: Let ψ be the LDD of lazy_eval(τ) ∧ C.3: for i := 1 to n do4: Let ψ be the LDD of lazy_eval(xi = εi) ∧ ∃xi(ψ)5: end for6: return ψ7: end function8: function LDD lazy_eval(expression ε)9: if ε is either true or false then

10: Return the LDD of ε.11: else if ε is x ∼ c with a variable x and a constant c then12: Return the LDD of ε.13: else if ε is ∃x(ε1) then14: Let ψ = lazy_eval(ε1).15: if ψ is not an MDD then16: Return LD node(∃x(ψ), false, true).17: else if |Rx| is smaller than a given limit then18: Return the MDD of

Wc∈Rx

ψ|x=c.19: else20: Return LD node(∃x(ψ), false, true).21: end if22: else if ε is ¬ε1 then23: Return the LDD of ¬lazy_eval(ε1).24: else if ε is ε1 ∨ ε2 then25: Return the LDD of lazy_eval(ε1) ∨ lazy_eval(ε2).26: else if ε is ε1 ∧ ε2 then27: Return the LDD of lazy_eval(ε1 ∧ lazy_eval(ε2).28: else29: Return LD node(ε, false, true).30: end if31: end function

TABLE IIIPROCEDURE FOR DELAYED EVALUATION OF POST-CONDITIONS

with bdd-like data-structures. IEEE Transactions on Software Engineer-ing, 31(1):38–51, 2005.

186186186