Compositional reasoning for Parameterized Verification Murali Talupur Joint work with Sava Krstic, John O’leary, Mark Tuttle

Protocol Verification Distributed protocols are crucial components of modern computer systems –Cache coherence protocols for example Designed parametrically –Full validation requires parametric reasoning Protocol verification involves two main issues –Tightly coded So standard predicate abstraction and COI reduction will not work –Unbounded parallelism

Existing Methods Index predicates WS1S Counter Abstraction Regular Model Checking Invisible Invariants Aggregated Trans CMP Increasing Manual Effort Theorem Proving Automatic methods don’t scale Manual methods require human guidance but scale

CMP method Compositional reasoning based method –Proposed by McMillan, elaborated by Chou et al and further simplified by Krstic CMP scales to large protocols –This was one of the first techniques to handle Flash protocol User has to supply “lemmas” –Supplying lemmas is easier than supplying inductive invariants Easier than pure theorem proving

CMP Method P(N) True or Real Cex Abstract Strengthen Model Check Invent Lemma PAPA spurious cex P # (N)

Data Type Reduction Other 21 N 21 N-13 Reduces unbounded range [1..N] to [1,2, o] –Throws away the state spaces of [3..N] –Any condition involving them is conservatively over-approximated P(N) PAPA

Example rule "ABS_NI_Local_Get_Put" true & !Sta.Dir.Pending ==> var NxtSta : STATE; begin NxtSta := Sta; NxtSta.Dir.Dirty := false; NOP endrule; ruleset src : [1,2] do rule "NI_Local_Get_Put" Sta.UniMsg[src].Cmd = UNI_Get & !Sta.Dir.Pending ==> Var NxtSta: State begin NxtSta := Sta; NxtSta.Dir.Dirty := false; NxtSta.UniMsg[src].Cmd := UNI_Put; endrule; endruleset; Rules are given in guarded command form: rl:  ! a ruleset src : NODE do rule "NI_Local_Get_Put" Sta.UniMsg[src].Cmd = UNI_Get & !Sta.Dir.Pending ==> Var NxtSta: State begin NxtSta := Sta; NxtSta.Dir.Dirty := false; NxtSta.UniMsg[src].Cmd := UNI_Put; endrule; endruleset;

Data Type Reduction Data type reduction is syntactic –Very fast – Abstract model has small state space Behavior of “Other” is not constrained at all –Need to add lemmas constraining the behaviors of “Other”

Refinement with Lemmas User provides relevant lemmas Parameterized system is strengthened with the lemmas –Data type reduction is applied as usual –The resulting abstract model is more refined than previously Behavior of Other restricted by the states of processes 1 and 2

Murphi Example invariant "Lemma" forall src : NODE do forall dst : NODE do dst != src -> (Sta.Proc[dst].CacheState = Cache_E -> Sta.UniMsg[src].Cmd != UNI_Get) end end; ruleset src : NODE do rule "NI_Local_Get_Put" Sta.UniMsg[src].Cmd = UNI_Get & !Sta.Dir.Pending & forall dst: NODE do src != dst -> !(Sta.Proc[dst].CacheState = Cache_E) end ==> var NxtSta : STATE; begin NxtSta := Sta; NxtSta.Dir.Dirty := false; NxtSta.UniMsg[src].Cmd := UNI_Put; endrule; endruleset; rule "ABS_NI_Local_Get_Put" true & !Sta.Dir.Pending & forall dst: [1,2]. !(Sta.Proc[dst].CacheState = Cache_E) end ==> var NxtSta : STATE; begin NxtSta := Sta; NxtSta.Dir.Dirty := false; NOP endrule;

CMP Method P(N) P s (N) PAPA Strengthening Abstraction ²  DTR is conservative Circular Reasoning P(N) ² 8 i,j.  (i,j)

Circular Reasoning Principle System P consists of guarded rules  ! a Let R i stand for all states reachable within i steps in P ( 8 s 2 R i s ²  ) ( 8 s 2 R i s ²  P s :  Æ  ! a P s ²  ) P ² 

Application McOP is the cache coherence protocol of an experimental system with more than 50 cores Vastly more complex than Flash –German has 7 msg types, Flash has 16, McOP has 55 The proof took one month –25 lemmas Final count does not include the several wrong/weak lemmas that were used –5 auxiliary variables

Improvements to CMP Automate as much as possible Reduce the burden on human user –Derive lemmas automatically –Instead of data type reduction use richer abstraction

Automating CMP Method P(N) True or Real Cex Abstract Strengthen Model Check Invent Lemma PAPA spurious cex P # (N)

Deriving Lemmas from Flows We can use message flows to derive powerful lemmas automatically

Dir ij ReqS GntS RecvReqS RecvGntS ijDir ReqS RecvReqS SendInv GntS SendInvAck RecvGntS RecvInvAck Process i intiates a Request Shared transaction: Case 1 Process i intiates a Request Shared transaction: Case 2 Flows: Examples

Deriving Lemmas from Flows We can use message flows to derive powerful lemmas automatically Advantages: –Message flows are readily available in design documents –Easy to understand Flows are local involving two agents unlike system wide invariants –Valuable validation collateral

Constraints from Flows Dir ij ReqS GntS RecvReqS RecvGntS ReqShare(i) SendReqS(i),RecvReqS(i),SendGntS(i),RecvGntS(i) Precedence between rules: For process i, action RecvReqS(i) must happen before SendGntS(i) Using lemmas from flows cut down the number of manual lemmas by 75%! Our FMCAD’08 paper has more details

Flows Cont. German Flows ReqShare(i): SendReqS(i),RecvReqS(i),SendInval(i),SendGntS(i),RecvGntS(i) ReqExcl(i): SendReqE(i),RecvReqE(i),SendInval(i),SendGntE(i),RecvGntE(i) SendInval(i): SendInv(i),SendInvAck(i),RecvInvAck(i) invariant "Lemma_1" forall i : NODE do Chan3[i].Cmd = InvAck & CurCmd != Empty & ExGntd = true -> Chan3[i].Data = AuxData & -- 5 forall j : NODE do j != i -> Cache[j].State != E & -- 1 Chan2[j].Cmd != GntE & -- 1 Chan3[j].Cmd != InvAck -- 2 end end; In contrast:

Using Richer Abstractions Other 21 N 21 N-13 P(N) PAPA O1O1 O2O2 OnOn Use lightweight environment abstraction to track processes [3..N] instead of completely throwing away their states

Conclusion CMP works very well in practice –The idea of complementing model checkers with user supplied lemmas works quite well –Perhaps the only method that really works CMP is not just for cache coherence verification –Applicable to other distrbuted algorithms/concurrent software as well