Presentation is loading. Please wait.

Presentation is loading. Please wait.

Murφ: A Retrospective Prof. David L. Dill Department of Computer Science Stanford University

Published byJoseph Adkins Modified over 10 years ago

Similar presentations

Presentation on theme: "Murφ: A Retrospective Prof. David L. Dill Department of Computer Science Stanford University"— Presentation transcript:

1 Murφ: A Retrospective Prof. David L. Dill Department of Computer Science Stanford University http://www.verifiedvoting.org

2 Murφ Freeware system produced by our research group. Explicit-state model checker for simple safety properties. Widely used for cache coherence problems –Cryptographic protocols –User interface –Etc. Innovations –Practical symmetry reduction –State hashing –Parallel implementation Currently available: From University of Utah (Ganesh Gopalakrishnan research group).

3 Prehistory Result of interviewing hardware people in my building (E.g., John Hennessy, Mark Horowitz, Anoop Gupta) Q: What is the biggest practical problem in hardware verification A: Multiprocessor cache coherence (Not surprising, since these people were all working on the DARPA-funded DASH project – a shared-memory multiprocessor.)

4 Goal: Experiment with BDD-based Model Checking of DASH Ken McMillans work on Gigamax protocol was inspirational. Three PhD students: Andreas Drexler, Alan J. Hu, C. Han Yang Initial approach: Minimize language design; try ideas with minimum tool building. Midway through the summer: Student opinion – building tools and doing the project would be faster than doing the project without the tools.

5 Trans Language was inspired by Misra & Chandy UNITY concurrency model –Iterated guarded commands –Asynchronous concurrency –Communication/synchronization through shared global variables –Parallel composition = union of rules. Trans was to be translated to BDD relations

6 Mur In one week, I saw two other languages/systems called trans Considered calling it Murphy (my version of Murphys law: The bug is always in the case you didnt test.) Saw another system named Murphy that week… Hence Murφ – a name so silly that no one else would use it. (An early review: Lose the cute name…) Subconsciously inspired by TeX? Lesson: Google specificity is a good thing.

7 BDD Verifier Alan Hu was the BDD specialist (victim)? Andreas Drexler wrote the front end (parser, etc.) Han Yang worked on applications. Result: BDDs were a bottleneck. Solution: Build a simple explicit-state verifier so we could develop some protocol descriptions -- while Alan got the BDDs working better.

8 Scaling up and scaling down Murphis primary use mode was bug-hunting Only small descriptions could be handled Downscaling Hypothesis: many bugs can be discovered in a scaled-down system: 3 processors instead of 64, 2 memory addresses, 1 bit of memory. Features: –Symbolic constants –Rulesets – parameterized families of guarded commands provide for scalable concurrency. –Arrays – provide for scalable state variables.

9 BDDs Meanwhile, Alan was still trying to make BDDs work. Back end tool called EVER Problem: Multiprocessor cache coherence protocols are not good for BDDs. P1 P2 P3 C12 C13 C23 Ps and Cs have BDD variables. Typically, P i sends a msg to P j via C ij. P i is in wait state, P j in receiving state, C ij has msg from i to j All variables are correlated, so they should be adjacent in order. But not all Ps and Cs can be next to each other.

10 BDD tricks Alan and I tried heroic measures to make BDDs work –Functional dependencies – identify BDD variables that could be replaced by functions of other variables. –Implicit Conjunctions – Represent the state space as the conjunction of a set of BDDs. Result: Papers were written, Alan got a PhD, and Murφ continued being an explicit- state verifier.

11 Andreas Nowatzyk at Sun Computer architect – worked on Deep Thought at CMU while I was there Shared an office with Michael Browne, another student of Ed Clarkes At CMU, seemed to derive malicious pleasure from debunking the effectiveness of model checking. Thoroughly understood verification and wanted help applying it to the machine he was designing at Sun.

12 Suns cache coherency I decided to try our new tool on an abstracted version of Andreass protocol. This generated many requests for changes and improvements in the tool and language. After lots of work and several false positives, we started discovering protocol problems of interest to Andreas. Lesson: If you want your group to produce a decent tool, use it yourself!

13 Symmetry reduction Our cache coherence protocols had huge amounts of symmetry –Identical processors, memory addresses, memory values, etc. –Many redundant states were being explored (swap processors 1 & 2). Idea: Symmetric subrange – elements are interchangeable (called scalarset) Proc: 1..n => Proc: ScalarSet{n} Operations on scalarsets must respect symmetry: Only assignment, equality, array indexing. Only captures full symmetry – but thats the most important practical case.

14 Symmetry PhD student Norris Ip figured out the details: –Scalarset values represented as small integers. –If the values in the scalarset were permuted, resulting state graph is bisimular to original Implementation –State is not searched if an equivalent state is found in state table. –Starts are normalized before looking up in hash table. –Problem is equivalent to graph isomorphism, so heuristics were used.

15 Probabilistic search Visiting student Uli Stern Hash compaction (based on Wolper & Leroys paper) –Store make hash table index, hash signature independent. –Use linear hashing –Use breadth-first search to minimize path length. Use of disk for state table (breadth-first search) Parallel Murφ

16 Lessons Find a challenge problem to solve (e.g., DASH cache coherence). –Find motivated people to work with. –Solving it should be important. –Do things that work – then generalize. –Tool designers/builders should also use the tools. Benefits –Helps set priorities (Is this helping to solve the problem?) –Tool will work for at least one thing (its easy to make tools that work for zero things).

17 Lessons Minimize barriers to use –Liberal licensing (beware of corporate lawyers) –Minimize cost of trying it out. –Dont make users download too much other stuff. –Make build/install easy. Work in Silicon Valley (or Austin, or …) where finding interested industrial people is relatively easy. –Early users/partners are crucial. –Later, tool sold itself.

18 Participants Alan J. Hu Andreas Drexler C. Han Yang Ralph Melton Norris Ip Seungjoon Park Ulrich Stern

Download ppt "Murφ: A Retrospective Prof. David L. Dill Department of Computer Science Stanford University"

Similar presentations

Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center

Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center
1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.

1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.

Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.
Department of Computer Sciences Revisiting the Complexity of Hardware Cache Coherence and Some Implications Rakesh Komuravelli Sarita Adve, Ching-Tsun.

Department of Computer Sciences Revisiting the Complexity of Hardware Cache Coherence and Some Implications Rakesh Komuravelli Sarita Adve, Ching-Tsun.
CS357 Lecture: BDD basics David Dill 1. 2 BDDs (Boolean/binary decision diagrams) BDDs are a very successful representation for Boolean functions. A BDD.

CS357 Lecture: BDD basics David Dill 1. 2 BDDs (Boolean/binary decision diagrams) BDDs are a very successful representation for Boolean functions. A BDD.
Inpainting Assigment – Tips and Hints Outline how to design a good test plan selection of dimensions to test along selection of values for each dimension.

Inpainting Assigment – Tips and Hints Outline how to design a good test plan selection of dimensions to test along selection of values for each dimension.
Operating Systems Lecture 10 Issues in Paging and Virtual Memory Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing.

Operating Systems Lecture 10 Issues in Paging and Virtual Memory Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing.
Timed Automata.

Timed Automata.
Tuan Tran. What is CISC? CISC stands for Complex Instruction Set Computer. CISC are chips that are easy to program and which make efficient use of memory.

Tuan Tran. What is CISC? CISC stands for Complex Instruction Set Computer. CISC are chips that are easy to program and which make efficient use of memory.
Synchronization without Contention John M. Mellor-Crummey and Michael L. Scott+ ECE 259 / CPS 221 Advanced Computer Architecture II Presenter : Tae Jun.

Synchronization without Contention John M. Mellor-Crummey and Michael L. Scott+ ECE 259 / CPS 221 Advanced Computer Architecture II Presenter : Tae Jun.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.

CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
The Stanford Directory Architecture for Shared Memory (DASH)* Presented by: Michael Bauer ECE 259/CPS 221 Spring Semester 2008 Dr. Lebeck * Based on “The.

The Stanford Directory Architecture for Shared Memory (DASH)* Presented by: Michael Bauer ECE 259/CPS 221 Spring Semester 2008 Dr. Lebeck * Based on “The.
1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah.

1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah.
Memory Management (II)

Memory Management (II)

Similar presentations

Ads by Google