Going with the Flow

Parameterized Verification using Message Flows

Murali Talupur & Mark Tuttle

SCL, Intel Corporation

Protocol Verification

• Distributed protocols are crucial components of modern computer systems– Cache coherence protocols for example

• Designed parametrically– Full validation requires parametric reasoning

• Protocol verification involves two main issues– Tightly coded

• So standard predicate abstraction and COI reduction will not work

– Unbounded or high degree of parallelism

Our Approach

Consists of two key elementsCMP Method: •A general framework for reasoning about systems with replication•We simplified and generalized the method

Flow based Invariants: •A new method for discovering invariants of concurrent systems•Implicit partial orders on system events yield valuable invariants

Existing Methods

Inde

x pre

dicat

es

WS1S

Counter Abstr

action

Regular Model C

hecking

Invisible In

varia

nts

Aggre

gate

d Tra

ns

CMP

Increasing Manual Effort

Theor

em P

rovin

g

Automatic methods don’t scale

Manual methods require human guidance but scale

CMP method

• Compositional reasoning based method– Proposed by McMillan, elaborated by Chou et al

[CTC] and further formalized by Krstic

• CMP: Pros and Cons– Scales to large protocols

• This was one of the first techniques to handle Flash protocol• Within Intel handled a cache protocol several orders of

magnitude bigger than even Flash

– User has to supply “lemmas”/invariants• Supplying lemmas is easier than supplying full blown

inductive invariants– Easier than pure theorem proving

CMP Method

P(N)True or Real Cex

Abstract

Strengthen

Model Check

Invent Lemma

PA

spurious cexP#(N)

Data Type Reduction

Other

21 N

21

N-13

• Reduces unbounded range [1..N] to [1,2, o]– Throws away the state spaces of [3..N]– Any condition involving them is conservatively over-approximated

P(N)

PA

ruleset src : [1..N] dorule “Local_Get" UniMsg[src].Cmd = Get & !Dir.Pending

==>begin Dir.Dirty := false; UniMsg[src].Cmd := Put;endrule;endruleset;

ruleset src : [1,2] dorule “Local_Get" UniMsg[src].Cmd = Get & !Dir.Pending

==>begin Dir.Dirty := false; UniMsg[src].Cmd := Put;endrule;endruleset;

rule "ABSLocal_Get" true & !Dir.Pending

==>begin Dir.Dirty := false; NOPendrule;

Rules are in guarded command form: r: ! a

Data Type Reduction

• Data type reduction is syntactic– Very fast– Abstract model has small state space

• Behavior of “Other” is not constrained at all– Need to refine “Other”

Refinement

User provides relevant lemmas

Proceeds in two steps:(i) Strengthening of P(N) with the lemmas

(ii) Abstracting the strengthened system

Strengthening

invariant "Lemma"forall src : NODE do forall dst : NODE do

dst != src -> (UniMsg[src].Cmd = Get -> !(Proc[dst].State = Excl))

ruleset src : NODE dorule “Local_Get" UniMsg[src].Cmd = Get & !Dir.Pending

==>begin Dir.Dirty := false; UniMsg[src].Cmd := Put;endrule;endruleset;

ruleset src : NODE dorule "Local_Get" UniMsg[src].Cmd = Get & !Dir.Pending & forall dst: NODE do src != dst -> !(Proc[dst].State = Excl) end==>begin Dir.Dirty := false; UniMsg[src].Cmd := Put;endrule;endruleset;

Refinement

ruleset src : NODE dorule "Local_Get" UniMsg[src].Cmd = Get & !Dir.Pending & forall dst: [1..N] do src != dst -> !(Proc[dst].State = Excl) end==>begin Dir.Dirty := false; UniMsg[src].Cmd := Put;endrule;endruleset;

rule "ABSLocal_Get"true & !Dir.Pending & forall dst: [1,2]. -> !(Proc[dst].State = Excl) end

==> beginDir.Dirty := false; NOPendrule;

Abstracting strengthened system leads to a refined abstract model

CMP Method

P(N)

Ps(N)

PA

Strengthen with8 i,j. (i,j)

Abstraction

²

²

²

DTR is conservative

ApparentCircular Reasoning

P(N) ² 8 i,j. (i,j)

Conjunction of property to be proved and lemmas

Paper has the proof details!

Flow based Invariants

• Rich partial orders on system events are implicit in the concurrent protocols– We call these Message Flows or simply Flows

• And these can yield powerful invariants

Dir i j

SendReqS

SendGntS

RecvReqS

RecvGntS

i jDir

SendReqS

RecvReqS

SendInv

SendGntS

SendInvAck

RecvGntS

RecvInvAck

Process i intiates a Request Shared transaction: Case 1

Process i intiates a Request Shared transaction: Case 2

Flows: Examples

Constraints from Flows

Dir i j

SendReqS

SendGntS

RecvReqS

RecvGntS

ReqShare(i)

SendReqS(i),RecvReqS(i),SendGntS(i),RecvGntS(i)

Precedence between rules:For instance, for process i, action RecvReqS(i)must happen before SendGntS(i)

Tracking Flows

A set Aux(i) of auxiliary variables to track 1) all the flows that a process i is involved in

2) for each such flow the last rule that was fired

Each aux 2 Aux(i) is initially ( no_flow, no_rule )

If process i fires rules rn in a flow

f: r1,….rn-1, rn,…..rm

update aux = (f,rn-1) to (f,rn) If rn is the last rule reset the aux variable

Constraints from Flows

Dir i j

SendReqS

SendGntS

RecvReqS

RecvGntS

Precondition for process i firing rn in flow f:

C(rn,f): 9 aux 2 Aux(i). aux = (f, rn-1 )

Lemmas from Flows

Let r: ! a appear in flows f1,..,fn Find precedence constraints

C1(r,f1), ..,Cn(r,fn)

Let pre(r) = C1(r,f1) Ç ..Ç Cn(r,fn)

Lemma: ) pre(r)

Deriving Lemmas from Flows

• We can easily convert message flows into invariants– Our experiments indicate the resulting invariants are

very powerful

• Advantages:– Message flows are readily available in design

documents– Easy to understand

• Flows are local and linear• No low level details of the protocol

– Valuable validation collateral

A German FlowReqShare: SendReqS,RecvReqS,SendInval,SendGntS,RecvGntS

invariant "Lemma_1" forall i : NODE do Chan3[i].Cmd = InvAck & CurCmd != Empty & ExGntd = true -> Chan3[i].Data = AuxData & forall j : NODE do j != i -> Cache[j].State != E & Chan2[j].Cmd != GntE & Chan3[j].Cmd != InvAck

Modified CMP Flow

DesignDoc

Add aux andFlow lemmas

Flows

P(N)

Pa(N)

Abstract

Strengthen

Model Check

Invent Lemma

PA

Done or Real Cex

spurious cex

P#(N)

Experimental Results• We applied our method to two standard examples

– German and Flash– Verified both control and data property– Compared against CTC

• German– 3 flows and 2 lemmas added manually– Lemmas slightly simpler than ones in CTC

• Flash– 6 flows and 2 lemmas in contrast to > 5 lemmas in CTC

• one trivial and one from CTC paper– Lemma complexity reduced by 75%– One auxiliary variable in contrast to 4 in CTC paper

• Different from flow auxiliary variables• This helps our running times as well: couple of minutes compared to

couple of hours in the CTC work

Conclusion/ Future Work

A powerful new method for parameterized verification based on(i) the CMP method and(ii) invariants from Flows

CMP Method:

(i) We have simplified and generalized the CMP method(ii) Allows more abstractions than simple data type reduction

Thus, more widely applicable

Flows:

A new way to derive invariants for concurrent systems

Look for implicit partial orders on system events!

Conclusion/Future Work

More can be done with flows: Online monitoring to see all traces conform to flows Extend flows to other distributed systems

Flows for shared memory systems using other types of system events…

Learn flows automatically…