Compositional reasoning for Parameterized Verification

Download Presentation

Compositional reasoning for Parameterized Verification

Loading in 2 Seconds...

- 95 Views
- Uploaded on
- Presentation posted in: General

Compositional reasoning for Parameterized Verification

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Compositional reasoning for Parameterized Verification

Murali Talupur

Joint work with

Sava Krstic, John O’leary, Mark Tuttle

- Distributed protocols are crucial components of modern computer systems
- Cache coherence protocols for example

- Designed parametrically
- Full validation requires parametric reasoning

- Protocol verification involves two main issues
- Tightly coded
- So standard predicate abstraction and COI reduction will not work

- Unbounded parallelism

- Tightly coded

Regular Model Checking

Aggregated Trans

Counter Abstraction

Theorem Proving

Invisible Invariants

CMP

Increasing Manual Effort

WS1S

Index predicates

Automatic methods don’t scale

Manual methods require human guidance but scale

- Compositional reasoning based method
- Proposed by McMillan, elaborated by Chou et al and further simplified by Krstic

- CMP scales to large protocols
- This was one of the first techniques to handle Flash protocol

- User has to supply “lemmas”
- Supplying lemmas is easier than supplying inductive invariants
- Easier than pure theorem proving

- Supplying lemmas is easier than supplying inductive invariants

True or Real Cex

P(N)

PA

Abstract

Model Check

spurious cex

P#(N)

Strengthen

Invent

Lemma

- Reduces unbounded range [1..N] to [1,2, o]
- Throws away the state spaces of [3..N]
- Any condition involving them is conservatively over-approximated

1

2

PA

Other

1

2

3

N-1

N

P(N)

Rules are given in guarded

command form:

rl: ! a

ruleset src : [1,2] do

rule "NI_Local_Get_Put"

Sta.UniMsg[src].Cmd = UNI_Get &

!Sta.Dir.Pending

==>

Var NxtSta: State

begin

NxtSta := Sta;

NxtSta.Dir.Dirty := false;

NxtSta.UniMsg[src].Cmd := UNI_Put;

endrule;

endruleset;

rule "ABS_NI_Local_Get_Put"

true & !Sta.Dir.Pending

==>

var NxtSta : STATE;

begin

NxtSta := Sta;

NxtSta.Dir.Dirty := false;

NOP

endrule;

ruleset src : NODE do

rule "NI_Local_Get_Put"

Sta.UniMsg[src].Cmd = UNI_Get &

!Sta.Dir.Pending

==>

Var NxtSta: State

begin

NxtSta := Sta;

NxtSta.Dir.Dirty := false;

NxtSta.UniMsg[src].Cmd := UNI_Put;

endrule;

endruleset;

- Data type reduction is syntactic
- Very fast
- Abstract model has small state space

- Behavior of “Other” is not constrained at all
- Need to add lemmas constraining the behaviors of “Other”

- User provides relevant lemmas
- Parameterized system is strengthened with the lemmas
- Data type reduction is applied as usual
- The resulting abstract model is more refined than previously
- Behavior of Other restricted by the states of processes 1 and 2

ruleset src : NODE do

rule "NI_Local_Get_Put"

Sta.UniMsg[src].Cmd = UNI_Get &

!Sta.Dir.Pending & forall dst: NODE do src != dst -> !(Sta.Proc[dst].CacheState = Cache_E) end

==>

var NxtSta : STATE;

begin

NxtSta := Sta;

NxtSta.Dir.Dirty := false;

NxtSta.UniMsg[src].Cmd := UNI_Put;

endrule;

endruleset;

rule "ABS_NI_Local_Get_Put"

true & !Sta.Dir.Pending & forall dst: [1,2]. !(Sta.Proc[dst].CacheState = Cache_E) end

==>

var NxtSta : STATE;

begin

NxtSta := Sta;

NxtSta.Dir.Dirty := false;

NOP

endrule;

invariant "Lemma"

forall src : NODE do forall dst : NODE do

dst != src -> (Sta.Proc[dst].CacheState = Cache_E -> Sta.UniMsg[src].Cmd != UNI_Get)

end end;

8 i,j. (i,j)

P(N) ²

P(N)

² (1,2)

Strengthening

Circular Reasoning

Ps(N)

² (1,2)

Abstraction

DTR is conservative

PA

² (1,2)

- System P consists of guarded rules ! a
- Let Ri stand for all states reachable within i steps in P
(8 s 2 Ri s ²)) (8 s 2 Ri s ²)

Ps: Æ! a

Ps²) P ²

- McOP is the cache coherence protocol of an experimental system with more than 50 cores
- Vastly more complex than Flash
- German has 7 msg types, Flash has 16, McOP has 55

- The proof took one month
- 25 lemmas
- Final count does not include the several wrong/weak lemmas that were used

- 5 auxiliary variables

- 25 lemmas

- Automate as much as possible
- Reduce the burden on human user
- Derive lemmas automatically
- Instead of data type reduction use richer abstraction

- We can use message flows to derive powerful lemmas automatically

Dir

Dir

i

j

i

j

ReqS

ReqS

RecvReqS

RecvReqS

SendInv

SendInvAck

GntS

RecvGntS

RecvInvAck

GntS

RecvGntS

Flows: Examples

Process i intiates a Request Shared transaction: Case 1

Process i intiates a Request Shared transaction: Case 2

- We can use message flows to derive powerful lemmas automatically
- Advantages:
- Message flows are readily available in design documents
- Easy to understand
- Flows are local involving two agents unlike system wide invariants

- Valuable validation collateral

Dir

i

j

ReqS

RecvReqS

GntS

RecvGntS

ReqShare(i)

SendReqS(i),RecvReqS(i),SendGntS(i),RecvGntS(i)

Precedence between rules:

For process i, action RecvReqS(i)

must happen before SendGntS(i)

Using lemmas from flows cut down the number

of manual lemmas by 75%!

Our FMCAD’08 paper has more details

O1

On

O2

Use lightweight environment abstraction to track processes [3..N]

instead of completely throwing away their states

1

2

PA

Other

1

2

3

N-1

N

P(N)

- CMP works very well in practice
- The idea of complementing model checkers with user supplied lemmas works quite well
- Perhaps the only method that really works

- CMP is not just for cache coherence verification
- Applicable to other distrbuted algorithms/concurrent software as well