Compositional reasoning for parameterized verification
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Compositional reasoning for Parameterized Verification PowerPoint PPT Presentation


  • 84 Views
  • Uploaded on
  • Presentation posted in: General

Compositional reasoning for Parameterized Verification. Murali Talupur Joint work with Sava Krstic, John O’leary, Mark Tuttle. Protocol Verification. Distributed protocols are crucial components of modern computer systems Cache coherence protocols for example Designed parametrically

Download Presentation

Compositional reasoning for Parameterized Verification

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Compositional reasoning for parameterized verification

Compositional reasoning for Parameterized Verification

Murali Talupur

Joint work with

Sava Krstic, John O’leary, Mark Tuttle


Protocol verification

Protocol Verification

  • Distributed protocols are crucial components of modern computer systems

    • Cache coherence protocols for example

  • Designed parametrically

    • Full validation requires parametric reasoning

  • Protocol verification involves two main issues

    • Tightly coded

      • So standard predicate abstraction and COI reduction will not work

    • Unbounded parallelism


Existing methods

Existing Methods

Regular Model Checking

Aggregated Trans

Counter Abstraction

Theorem Proving

Invisible Invariants

CMP

Increasing Manual Effort

WS1S

Index predicates

Automatic methods don’t scale

Manual methods require human guidance but scale


Cmp method

CMP method

  • Compositional reasoning based method

    • Proposed by McMillan, elaborated by Chou et al and further simplified by Krstic

  • CMP scales to large protocols

    • This was one of the first techniques to handle Flash protocol

  • User has to supply “lemmas”

    • Supplying lemmas is easier than supplying inductive invariants

      • Easier than pure theorem proving


Cmp method1

CMP Method

True or Real Cex

P(N)

PA

Abstract

Model Check

spurious cex

P#(N)

Strengthen

Invent

Lemma


Data type reduction

Data Type Reduction

  • Reduces unbounded range [1..N] to [1,2, o]

    • Throws away the state spaces of [3..N]

    • Any condition involving them is conservatively over-approximated

1

2

PA

Other

1

2

3

N-1

N

P(N)


Example

Rules are given in guarded

command form:

rl: ! a

ruleset src : [1,2] do

rule "NI_Local_Get_Put"

Sta.UniMsg[src].Cmd = UNI_Get &

!Sta.Dir.Pending

==>

Var NxtSta: State

begin

NxtSta := Sta;

NxtSta.Dir.Dirty := false;

NxtSta.UniMsg[src].Cmd := UNI_Put;

endrule;

endruleset;

rule "ABS_NI_Local_Get_Put"

true & !Sta.Dir.Pending

==>

var NxtSta : STATE;

begin

NxtSta := Sta;

NxtSta.Dir.Dirty := false;

NOP

endrule;

Example

ruleset src : NODE do

rule "NI_Local_Get_Put"

Sta.UniMsg[src].Cmd = UNI_Get &

!Sta.Dir.Pending

==>

Var NxtSta: State

begin

NxtSta := Sta;

NxtSta.Dir.Dirty := false;

NxtSta.UniMsg[src].Cmd := UNI_Put;

endrule;

endruleset;


Data type reduction1

Data Type Reduction

  • Data type reduction is syntactic

    • Very fast

    • Abstract model has small state space

  • Behavior of “Other” is not constrained at all

    • Need to add lemmas constraining the behaviors of “Other”


Refinement with lemmas

Refinement with Lemmas

  • User provides relevant lemmas

  • Parameterized system is strengthened with the lemmas

    • Data type reduction is applied as usual

    • The resulting abstract model is more refined than previously

      • Behavior of Other restricted by the states of processes 1 and 2


Murphi example

ruleset src : NODE do

rule "NI_Local_Get_Put"

Sta.UniMsg[src].Cmd = UNI_Get &

!Sta.Dir.Pending & forall dst: NODE do src != dst -> !(Sta.Proc[dst].CacheState = Cache_E) end

==>

var NxtSta : STATE;

begin

NxtSta := Sta;

NxtSta.Dir.Dirty := false;

NxtSta.UniMsg[src].Cmd := UNI_Put;

endrule;

endruleset;

rule "ABS_NI_Local_Get_Put"

true & !Sta.Dir.Pending & forall dst: [1,2]. !(Sta.Proc[dst].CacheState = Cache_E) end

==>

var NxtSta : STATE;

begin

NxtSta := Sta;

NxtSta.Dir.Dirty := false;

NOP

endrule;

Murphi Example

invariant "Lemma"

forall src : NODE do forall dst : NODE do

dst != src -> (Sta.Proc[dst].CacheState = Cache_E -> Sta.UniMsg[src].Cmd != UNI_Get)

end end;


Cmp method2

CMP Method

8 i,j. (i,j)

P(N) ²

P(N)

² (1,2)

Strengthening

Circular Reasoning

Ps(N)

² (1,2)

Abstraction

DTR is conservative

PA

² (1,2)


Circular reasoning principle

Circular Reasoning Principle

  • System P consists of guarded rules ! a

  • Let Ri stand for all states reachable within i steps in P

    (8 s 2 Ri s ²)) (8 s 2 Ri s ²)

    Ps: Æ! a

    Ps²) P ²


Application

Application

  • McOP is the cache coherence protocol of an experimental system with more than 50 cores

  • Vastly more complex than Flash

    • German has 7 msg types, Flash has 16, McOP has 55

  • The proof took one month

    • 25 lemmas

      • Final count does not include the several wrong/weak lemmas that were used

    • 5 auxiliary variables


Improvements to cmp

Improvements to CMP

  • Automate as much as possible

  • Reduce the burden on human user

    • Derive lemmas automatically

    • Instead of data type reduction use richer abstraction


Deriving lemmas from flows

Deriving Lemmas from Flows

  • We can use message flows to derive powerful lemmas automatically


Compositional reasoning for parameterized verification

Dir

Dir

i

j

i

j

ReqS

ReqS

RecvReqS

RecvReqS

SendInv

SendInvAck

GntS

RecvGntS

RecvInvAck

GntS

RecvGntS

Flows: Examples

Process i intiates a Request Shared transaction: Case 1

Process i intiates a Request Shared transaction: Case 2


Deriving lemmas from flows1

Deriving Lemmas from Flows

  • We can use message flows to derive powerful lemmas automatically

  • Advantages:

    • Message flows are readily available in design documents

    • Easy to understand

      • Flows are local involving two agents unlike system wide invariants

    • Valuable validation collateral


Constraints from flows

Dir

i

j

ReqS

RecvReqS

GntS

RecvGntS

Constraints from Flows

ReqShare(i)

SendReqS(i),RecvReqS(i),SendGntS(i),RecvGntS(i)

Precedence between rules:

For process i, action RecvReqS(i)

must happen before SendGntS(i)

Using lemmas from flows cut down the number

of manual lemmas by 75%!

Our FMCAD’08 paper has more details


Using richer abstractions

O1

On

O2

Using Richer Abstractions

Use lightweight environment abstraction to track processes [3..N]

instead of completely throwing away their states

1

2

PA

Other

1

2

3

N-1

N

P(N)


Conclusion

Conclusion

  • CMP works very well in practice

    • The idea of complementing model checkers with user supplied lemmas works quite well

    • Perhaps the only method that really works

  • CMP is not just for cache coherence verification

    • Applicable to other distrbuted algorithms/concurrent software as well


  • Login