Compositional reasoning for Parameterized Verification

Murali TalupurJoint work with

Sava Krstic, John O’leary, Mark Tuttle

Protocol Verification

• Distributed protocols are crucial components of modern computer systems– Cache coherence protocols for example

• Designed parametrically– Full validation requires parametric reasoning

• Protocol verification involves two main issues– Tightly coded

• So standard predicate abstraction and COI reduction will not work

– Unbounded parallelism

Existing Methods

Inde

x pre

dicat

es

WS1S

Counter Abstr

action

Regular Model C

hecking

Invisible In

varia

nts

Aggre

gate

d Tra

ns

CMP

Increasing Manual Effort

Theor

em P

rovin

g

Automatic methods don’t scale

Manual methods require human guidance but scale

CMP method

• Compositional reasoning based method– Proposed by McMillan, elaborated by Chou et al and

further simplified by Krstic

• CMP scales to large protocols– This was one of the first techniques to handle Flash

protocol

• User has to supply “lemmas”– Supplying lemmas is easier than supplying inductive

invariants• Easier than pure theorem proving

CMP Method

P(N)True or Real Cex

Abstract

Strengthen

Model Check

Invent Lemma

PA

spurious cexP#(N)

Data Type Reduction

Other

21 N

21

N-13

• Reduces unbounded range [1..N] to [1,2, o]– Throws away the state spaces of [3..N]– Any condition involving them is conservatively over-approximated

P(N)

PA

Example

rule "ABS_NI_Local_Get_Put" true & !Sta.Dir.Pending==>var NxtSta : STATE;begin NxtSta := Sta; NxtSta.Dir.Dirty := false; NOPendrule;

ruleset src : [1,2] dorule "NI_Local_Get_Put" Sta.UniMsg[src].Cmd = UNI_Get & !Sta.Dir.Pending ==>Var NxtSta: Statebegin NxtSta := Sta; NxtSta.Dir.Dirty := false; NxtSta.UniMsg[src].Cmd := UNI_Put;endrule;endruleset;

Rules are given in guarded command form:

rl: ! a

ruleset src : NODE dorule "NI_Local_Get_Put" Sta.UniMsg[src].Cmd = UNI_Get & !Sta.Dir.Pending ==>Var NxtSta: Statebegin NxtSta := Sta; NxtSta.Dir.Dirty := false; NxtSta.UniMsg[src].Cmd := UNI_Put;endrule;endruleset;

Data Type Reduction

• Data type reduction is syntactic– Very fast– Abstract model has small state space

• Behavior of “Other” is not constrained at all– Need to add lemmas constraining the

behaviors of “Other”

Refinement with Lemmas

• User provides relevant lemmas

• Parameterized system is strengthened with the lemmas – Data type reduction is applied as usual– The resulting abstract model is more refined

than previously• Behavior of Other restricted by the states of

processes 1 and 2

Murphi Exampleinvariant "Lemma"forall src : NODE do forall dst : NODE dodst != src -> (Sta.Proc[dst].CacheState = Cache_E -> Sta.UniMsg[src].Cmd != UNI_Get)end end;

ruleset src : NODE dorule "NI_Local_Get_Put" Sta.UniMsg[src].Cmd = UNI_Get & !Sta.Dir.Pending & forall dst: NODE do src != dst -> !(Sta.Proc[dst].CacheState = Cache_E) end==>var NxtSta : STATE;begin NxtSta := Sta; NxtSta.Dir.Dirty := false; NxtSta.UniMsg[src].Cmd := UNI_Put;endrule;endruleset;

rule "ABS_NI_Local_Get_Put"true & !Sta.Dir.Pending & forall dst: [1,2]. !(Sta.Proc[dst].CacheState = Cache_E) end==> var NxtSta : STATE;begin NxtSta := Sta; NxtSta.Dir.Dirty := false; NOPendrule;

CMP Method

P(N)

Ps(N)

PA

Strengthening

Abstraction

²

²

²

DTR is conservative

Circular Reasoning

P(N) ² 8 i,j. (i,j)

Circular Reasoning Principle

• System P consists of guarded rules ! a• Let Ri stand for all states reachable within i

steps in P

(8 s 2 Ri s ² ) (8 s 2 Ri s ² Ps: Æ ! a Ps ² ) P ²

Application

• McOP is the cache coherence protocol of an experimental system with more than 50 cores

• Vastly more complex than Flash– German has 7 msg types, Flash has 16, McOP has 55

• The proof took one month– 25 lemmas

• Final count does not include the several wrong/weak lemmas that were used

– 5 auxiliary variables

Improvements to CMP

• Automate as much as possible

• Reduce the burden on human user– Derive lemmas automatically– Instead of data type reduction use richer

abstraction

Deriving Lemmas from Flows

• We can use message flows to derive powerful lemmas automatically

Dir i j

ReqS

GntS

RecvReqS

RecvGntS

i jDir

ReqS

RecvReqS

SendInv

GntS

SendInvAck

RecvGntS

RecvInvAck

Process i intiates a Request Shared transaction: Case 1

Process i intiates a Request Shared transaction: Case 2

Flows: Examples

Deriving Lemmas from Flows

• We can use message flows to derive powerful lemmas automatically

• Advantages:– Message flows are readily available in design

documents– Easy to understand

• Flows are local involving two agents unlike system wide invariants

– Valuable validation collateral

Constraints from Flows

Dir i j

ReqS

GntS

RecvReqS

RecvGntS

ReqShare(i)

SendReqS(i),RecvReqS(i),SendGntS(i),RecvGntS(i)

Precedence between rules:For process i, action RecvReqS(i)must happen before SendGntS(i)

Using lemmas from flows cut down the numberof manual lemmas by 75%!

Our FMCAD’08 paper has more details

Using Richer Abstractions

Other

21 N

21

N-13P(N)

PA

O1 O2 On

Use lightweight environment abstraction to track processes [3..N]instead of completely throwing away their states

Conclusion

• CMP works very well in practice– The idea of complementing model checkers

with user supplied lemmas works quite well– Perhaps the only method that really works

• CMP is not just for cache coherence verification– Applicable to other distrbuted

algorithms/concurrent software as well