Compositional reasoning for parameterized verification
Download
1 / 20

Compositional reasoning for Parameterized Verification - PowerPoint PPT Presentation


  • 113 Views
  • Uploaded on
  • Presentation posted in: General

Compositional reasoning for Parameterized Verification. Murali Talupur Joint work with Sava Krstic, John O’leary, Mark Tuttle. Protocol Verification. Distributed protocols are crucial components of modern computer systems Cache coherence protocols for example Designed parametrically

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

Compositional reasoning for Parameterized Verification

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Compositional reasoning for Parameterized Verification

Murali Talupur

Joint work with

Sava Krstic, John O’leary, Mark Tuttle


Protocol Verification

  • Distributed protocols are crucial components of modern computer systems

    • Cache coherence protocols for example

  • Designed parametrically

    • Full validation requires parametric reasoning

  • Protocol verification involves two main issues

    • Tightly coded

      • So standard predicate abstraction and COI reduction will not work

    • Unbounded parallelism


Existing Methods

Regular Model Checking

Aggregated Trans

Counter Abstraction

Theorem Proving

Invisible Invariants

CMP

Increasing Manual Effort

WS1S

Index predicates

Automatic methods don’t scale

Manual methods require human guidance but scale


CMP method

  • Compositional reasoning based method

    • Proposed by McMillan, elaborated by Chou et al and further simplified by Krstic

  • CMP scales to large protocols

    • This was one of the first techniques to handle Flash protocol

  • User has to supply “lemmas”

    • Supplying lemmas is easier than supplying inductive invariants

      • Easier than pure theorem proving


CMP Method

True or Real Cex

P(N)

PA

Abstract

Model Check

spurious cex

P#(N)

Strengthen

Invent

Lemma


Data Type Reduction

  • Reduces unbounded range [1..N] to [1,2, o]

    • Throws away the state spaces of [3..N]

    • Any condition involving them is conservatively over-approximated

1

2

PA

Other

1

2

3

N-1

N

P(N)


Rules are given in guarded

command form:

rl: ! a

ruleset src : [1,2] do

rule "NI_Local_Get_Put"

Sta.UniMsg[src].Cmd = UNI_Get &

!Sta.Dir.Pending

==>

Var NxtSta: State

begin

NxtSta := Sta;

NxtSta.Dir.Dirty := false;

NxtSta.UniMsg[src].Cmd := UNI_Put;

endrule;

endruleset;

rule "ABS_NI_Local_Get_Put"

true & !Sta.Dir.Pending

==>

var NxtSta : STATE;

begin

NxtSta := Sta;

NxtSta.Dir.Dirty := false;

NOP

endrule;

Example

ruleset src : NODE do

rule "NI_Local_Get_Put"

Sta.UniMsg[src].Cmd = UNI_Get &

!Sta.Dir.Pending

==>

Var NxtSta: State

begin

NxtSta := Sta;

NxtSta.Dir.Dirty := false;

NxtSta.UniMsg[src].Cmd := UNI_Put;

endrule;

endruleset;


Data Type Reduction

  • Data type reduction is syntactic

    • Very fast

    • Abstract model has small state space

  • Behavior of “Other” is not constrained at all

    • Need to add lemmas constraining the behaviors of “Other”


Refinement with Lemmas

  • User provides relevant lemmas

  • Parameterized system is strengthened with the lemmas

    • Data type reduction is applied as usual

    • The resulting abstract model is more refined than previously

      • Behavior of Other restricted by the states of processes 1 and 2


ruleset src : NODE do

rule "NI_Local_Get_Put"

Sta.UniMsg[src].Cmd = UNI_Get &

!Sta.Dir.Pending & forall dst: NODE do src != dst -> !(Sta.Proc[dst].CacheState = Cache_E) end

==>

var NxtSta : STATE;

begin

NxtSta := Sta;

NxtSta.Dir.Dirty := false;

NxtSta.UniMsg[src].Cmd := UNI_Put;

endrule;

endruleset;

rule "ABS_NI_Local_Get_Put"

true & !Sta.Dir.Pending & forall dst: [1,2]. !(Sta.Proc[dst].CacheState = Cache_E) end

==>

var NxtSta : STATE;

begin

NxtSta := Sta;

NxtSta.Dir.Dirty := false;

NOP

endrule;

Murphi Example

invariant "Lemma"

forall src : NODE do forall dst : NODE do

dst != src -> (Sta.Proc[dst].CacheState = Cache_E -> Sta.UniMsg[src].Cmd != UNI_Get)

end end;


CMP Method

8 i,j. (i,j)

P(N) ²

P(N)

² (1,2)

Strengthening

Circular Reasoning

Ps(N)

² (1,2)

Abstraction

DTR is conservative

PA

² (1,2)


Circular Reasoning Principle

  • System P consists of guarded rules ! a

  • Let Ri stand for all states reachable within i steps in P

    (8 s 2 Ri s ²)) (8 s 2 Ri s ²)

    Ps: Æ! a

    Ps²) P ²


Application

  • McOP is the cache coherence protocol of an experimental system with more than 50 cores

  • Vastly more complex than Flash

    • German has 7 msg types, Flash has 16, McOP has 55

  • The proof took one month

    • 25 lemmas

      • Final count does not include the several wrong/weak lemmas that were used

    • 5 auxiliary variables


Improvements to CMP

  • Automate as much as possible

  • Reduce the burden on human user

    • Derive lemmas automatically

    • Instead of data type reduction use richer abstraction


Deriving Lemmas from Flows

  • We can use message flows to derive powerful lemmas automatically


Dir

Dir

i

j

i

j

ReqS

ReqS

RecvReqS

RecvReqS

SendInv

SendInvAck

GntS

RecvGntS

RecvInvAck

GntS

RecvGntS

Flows: Examples

Process i intiates a Request Shared transaction: Case 1

Process i intiates a Request Shared transaction: Case 2


Deriving Lemmas from Flows

  • We can use message flows to derive powerful lemmas automatically

  • Advantages:

    • Message flows are readily available in design documents

    • Easy to understand

      • Flows are local involving two agents unlike system wide invariants

    • Valuable validation collateral


Dir

i

j

ReqS

RecvReqS

GntS

RecvGntS

Constraints from Flows

ReqShare(i)

SendReqS(i),RecvReqS(i),SendGntS(i),RecvGntS(i)

Precedence between rules:

For process i, action RecvReqS(i)

must happen before SendGntS(i)

Using lemmas from flows cut down the number

of manual lemmas by 75%!

Our FMCAD’08 paper has more details


O1

On

O2

Using Richer Abstractions

Use lightweight environment abstraction to track processes [3..N]

instead of completely throwing away their states

1

2

PA

Other

1

2

3

N-1

N

P(N)


Conclusion

  • CMP works very well in practice

    • The idea of complementing model checkers with user supplied lemmas works quite well

    • Perhaps the only method that really works

  • CMP is not just for cache coherence verification

    • Applicable to other distrbuted algorithms/concurrent software as well


ad
  • Login