Going with the Flow
Parameterized Verification using Message Flows
Murali Talupur & Mark Tuttle
SCL, Intel Corporation
Protocol Verification
• Distributed protocols are crucial components of modern computer systems– Cache coherence protocols for example
• Designed parametrically– Full validation requires parametric reasoning
• Protocol verification involves two main issues– Tightly coded
• So standard predicate abstraction and COI reduction will not work
– Unbounded or high degree of parallelism
Our Approach
Consists of two key elementsCMP Method: •A general framework for reasoning about systems with replication•We simplified and generalized the method
Flow based Invariants: •A new method for discovering invariants of concurrent systems•Implicit partial orders on system events yield valuable invariants
Existing Methods
Inde
x pre
dicat
es
WS1S
Counter Abstr
action
Regular Model C
hecking
Invisible In
varia
nts
Aggre
gate
d Tra
ns
CMP
Increasing Manual Effort
Theor
em P
rovin
g
Automatic methods don’t scale
Manual methods require human guidance but scale
CMP method
• Compositional reasoning based method– Proposed by McMillan, elaborated by Chou et al
[CTC] and further formalized by Krstic
• CMP: Pros and Cons– Scales to large protocols
• This was one of the first techniques to handle Flash protocol• Within Intel handled a cache protocol several orders of
magnitude bigger than even Flash
– User has to supply “lemmas”/invariants• Supplying lemmas is easier than supplying full blown
inductive invariants– Easier than pure theorem proving
CMP Method
P(N)True or Real Cex
Abstract
Strengthen
Model Check
Invent Lemma
PA
spurious cexP#(N)
Data Type Reduction
Other
21 N
21
N-13
• Reduces unbounded range [1..N] to [1,2, o]– Throws away the state spaces of [3..N]– Any condition involving them is conservatively over-approximated
P(N)
PA
ruleset src : [1..N] dorule “Local_Get" UniMsg[src].Cmd = Get & !Dir.Pending
==>begin Dir.Dirty := false; UniMsg[src].Cmd := Put;endrule;endruleset;
ruleset src : [1,2] dorule “Local_Get" UniMsg[src].Cmd = Get & !Dir.Pending
==>begin Dir.Dirty := false; UniMsg[src].Cmd := Put;endrule;endruleset;
rule "ABSLocal_Get" true & !Dir.Pending
==>begin Dir.Dirty := false; NOPendrule;
Rules are in guarded command form: r: ! a
Data Type Reduction
• Data type reduction is syntactic– Very fast– Abstract model has small state space
• Behavior of “Other” is not constrained at all– Need to refine “Other”
Refinement
User provides relevant lemmas
Proceeds in two steps:(i) Strengthening of P(N) with the lemmas
(ii) Abstracting the strengthened system
Strengthening
invariant "Lemma"forall src : NODE do forall dst : NODE do
dst != src -> (UniMsg[src].Cmd = Get -> !(Proc[dst].State = Excl))
ruleset src : NODE dorule “Local_Get" UniMsg[src].Cmd = Get & !Dir.Pending
==>begin Dir.Dirty := false; UniMsg[src].Cmd := Put;endrule;endruleset;
ruleset src : NODE dorule "Local_Get" UniMsg[src].Cmd = Get & !Dir.Pending & forall dst: NODE do src != dst -> !(Proc[dst].State = Excl) end==>begin Dir.Dirty := false; UniMsg[src].Cmd := Put;endrule;endruleset;
Refinement
ruleset src : NODE dorule "Local_Get" UniMsg[src].Cmd = Get & !Dir.Pending & forall dst: [1..N] do src != dst -> !(Proc[dst].State = Excl) end==>begin Dir.Dirty := false; UniMsg[src].Cmd := Put;endrule;endruleset;
rule "ABSLocal_Get"true & !Dir.Pending & forall dst: [1,2]. -> !(Proc[dst].State = Excl) end
==> beginDir.Dirty := false; NOPendrule;
Abstracting strengthened system leads to a refined abstract model
CMP Method
P(N)
Ps(N)
PA
Strengthen with8 i,j. (i,j)
Abstraction
²
²
²
DTR is conservative
ApparentCircular Reasoning
P(N) ² 8 i,j. (i,j)
Conjunction of property to be proved and lemmas
Paper has the proof details!
Flow based Invariants
• Rich partial orders on system events are implicit in the concurrent protocols– We call these Message Flows or simply Flows
• And these can yield powerful invariants
Dir i j
SendReqS
SendGntS
RecvReqS
RecvGntS
i jDir
SendReqS
RecvReqS
SendInv
SendGntS
SendInvAck
RecvGntS
RecvInvAck
Process i intiates a Request Shared transaction: Case 1
Process i intiates a Request Shared transaction: Case 2
Flows: Examples
Constraints from Flows
Dir i j
SendReqS
SendGntS
RecvReqS
RecvGntS
ReqShare(i)
SendReqS(i),RecvReqS(i),SendGntS(i),RecvGntS(i)
Precedence between rules:For instance, for process i, action RecvReqS(i)must happen before SendGntS(i)
Tracking Flows
A set Aux(i) of auxiliary variables to track 1) all the flows that a process i is involved in
2) for each such flow the last rule that was fired
Each aux 2 Aux(i) is initially ( no_flow, no_rule )
If process i fires rules rn in a flow
f: r1,….rn-1, rn,…..rm
update aux = (f,rn-1) to (f,rn) If rn is the last rule reset the aux variable
Constraints from Flows
Dir i j
SendReqS
SendGntS
RecvReqS
RecvGntS
Precondition for process i firing rn in flow f:
C(rn,f): 9 aux 2 Aux(i). aux = (f, rn-1 )
Lemmas from Flows
Let r: ! a appear in flows f1,..,fn Find precedence constraints
C1(r,f1), ..,Cn(r,fn)
Let pre(r) = C1(r,f1) Ç ..Ç Cn(r,fn)
Lemma: ) pre(r)
Deriving Lemmas from Flows
• We can easily convert message flows into invariants– Our experiments indicate the resulting invariants are
very powerful
• Advantages:– Message flows are readily available in design
documents– Easy to understand
• Flows are local and linear• No low level details of the protocol
– Valuable validation collateral
A German FlowReqShare: SendReqS,RecvReqS,SendInval,SendGntS,RecvGntS
invariant "Lemma_1" forall i : NODE do Chan3[i].Cmd = InvAck & CurCmd != Empty & ExGntd = true -> Chan3[i].Data = AuxData & forall j : NODE do j != i -> Cache[j].State != E & Chan2[j].Cmd != GntE & Chan3[j].Cmd != InvAck
Modified CMP Flow
DesignDoc
Add aux andFlow lemmas
Flows
P(N)
Pa(N)
Abstract
Strengthen
Model Check
Invent Lemma
PA
Done or Real Cex
spurious cex
P#(N)
Experimental Results• We applied our method to two standard examples
– German and Flash– Verified both control and data property– Compared against CTC
• German– 3 flows and 2 lemmas added manually– Lemmas slightly simpler than ones in CTC
• Flash– 6 flows and 2 lemmas in contrast to > 5 lemmas in CTC
• one trivial and one from CTC paper– Lemma complexity reduced by 75%– One auxiliary variable in contrast to 4 in CTC paper
• Different from flow auxiliary variables• This helps our running times as well: couple of minutes compared to
couple of hours in the CTC work
Conclusion/ Future Work
A powerful new method for parameterized verification based on(i) the CMP method and(ii) invariants from Flows
CMP Method:
(i) We have simplified and generalized the CMP method(ii) Allows more abstractions than simple data type reduction
Thus, more widely applicable
Flows:
A new way to derive invariants for concurrent systems
Look for implicit partial orders on system events!
Conclusion/Future Work
More can be done with flows: Online monitoring to see all traces conform to flows Extend flows to other distributed systems
Flows for shared memory systems using other types of system events…
Learn flows automatically…
Top Related