Going with the Flow Parameterized Verification using Message Flows Murali Talupur & Mark Tuttle SCL, Intel Corporation

Protocol Verification Distributed protocols are crucial components of modern computer systems –Cache coherence protocols for example Designed parametrically –Full validation requires parametric reasoning Protocol verification involves two main issues –Tightly coded So standard predicate abstraction and COI reduction will not work –Unbounded or high degree of parallelism

Our Approach Consists of two key elements CMP Method: A general framework for reasoning about systems with replication We simplified and generalized the method Flow based Invariants: A new method for discovering invariants of concurrent systems Implicit partial orders on system events yield valuable invariants

Existing Methods Index predicates WS1S Counter Abstraction Regular Model Checking Invisible Invariants Aggregated Trans CMP Increasing Manual Effort Theorem Proving Automatic methods don’t scale Manual methods require human guidance but scale

CMP method Compositional reasoning based method –Proposed by McMillan, elaborated by Chou et al [CTC] and further formalized by Krstic CMP: Pros and Cons –Scales to large protocols This was one of the first techniques to handle Flash protocol Within Intel handled a cache protocol several orders of magnitude bigger than even Flash –User has to supply “lemmas”/invariants Supplying lemmas is easier than supplying full blown inductive invariants –Easier than pure theorem proving

CMP Method P(N) True or Real Cex Abstract Strengthen Model Check Invent Lemma PAPA spurious cex P # (N)

Data Type Reduction Other 21 N 21 N-13 Reduces unbounded range [1..N] to [1,2, o] –Throws away the state spaces of [3..N] –Any condition involving them is conservatively over-approximated P(N) PAPA

ruleset src : [1..N] do rule “Local_Get" UniMsg[src].Cmd = Get & !Dir.Pending ==> begin Dir.Dirty := false; UniMsg[src].Cmd := Put; endrule; endruleset; ruleset src : [1,2] do rule “Local_Get" UniMsg[src].Cmd = Get & !Dir.Pending ==> begin Dir.Dirty := false; UniMsg[src].Cmd := Put; endrule; endruleset; rule "ABSLocal_Get" true & !Dir.Pending ==> begin Dir.Dirty := false; NOP endrule; Rules are in guarded command form: r:  ! a

Data Type Reduction Data type reduction is syntactic –Very fast – Abstract model has small state space Behavior of “Other” is not constrained at all –Need to refine “Other”

Refinement User provides relevant lemmas Proceeds in two steps: (i)Strengthening of P(N) with the lemmas (ii)Abstracting the strengthened system

Strengthening invariant "Lemma" forall src : NODE do forall dst : NODE do dst != src -> (UniMsg[src].Cmd = Get -> !( Proc[dst].State = Excl)) ruleset src : NODE do rule “Local_Get" UniMsg[src].Cmd = Get & !Dir.Pending ==> begin Dir.Dirty := false; UniMsg[src].Cmd := Put; endrule; endruleset; ruleset src : NODE do rule "Local_Get" UniMsg[src].Cmd = Get & !Dir.Pending & forall dst: NODE do src != dst -> !(Proc[dst].State = Excl) end ==> begin Dir.Dirty := false; UniMsg[src].Cmd := Put; endrule; endruleset;

Refinement ruleset src : NODE do rule "Local_Get" UniMsg[src].Cmd = Get & !Dir.Pending & forall dst: [1..N] do src != dst -> !(Proc[dst].State = Excl) end ==> begin Dir.Dirty := false; UniMsg[src].Cmd := Put; endrule; endruleset; rule "ABSLocal_Get" true & !Dir.Pending & forall dst: [1,2]. -> !(Proc[dst].State = Excl) end ==> begin Dir.Dirty := false; NOP endrule; Abstracting strengthened system leads to a refined abstract model

CMP Method P(N) P s (N) PAPA Strengthen with 8 i,j.  (i,j) Abstraction ²  DTR is conservative Apparent Circular Reasoning P(N) ² 8 i,j.  (i,j) Conjunction of property to be proved and lemmas Paper has the proof details!

Flow based Invariants Rich partial orders on system events are implicit in the concurrent protocols –We call these Message Flows or simply Flows And these can yield powerful invariants

Dir ij SendReqS SendGntS RecvReqS RecvGntS ijDir SendReqS RecvReqS SendInv SendGntS SendInvAck RecvGntS RecvInvAck Process i intiates a Request Shared transaction: Case 1 Process i intiates a Request Shared transaction: Case 2 Flows: Examples

Constraints from Flows Dir ij SendReqS SendGntS RecvReqS RecvGntS ReqShare(i) SendReqS(i),RecvReqS(i),SendGntS(i),RecvGntS(i) Precedence between rules: For instance, for process i, action RecvReqS(i) must happen before SendGntS(i)

Tracking Flows A set Aux(i) of auxiliary variables to track 1) all the flows that a process i is involved in 2) for each such flow the last rule that was fired Each aux 2 Aux(i) is initially ( no_flow, no_rule ) If process i fires rules r n in a flow f: r 1,….r n-1, r n,…..r m update aux = (f,r n-1 ) to (f,r n ) If r n is the last rule reset the aux variable

Constraints from Flows Dir ij SendReqS SendGntS RecvReqS RecvGntS Precondition for process i firing r n in flow f: C(r n,f): 9 aux 2 Aux(i). aux = (f, r n-1 )

ijDir SendReqS RecvReqS SendInv SendGntS SendInvAck RecvGntS RecvInvAck SendInval(j) SendInv(j),SendInvAck(j), RecvInvAck(j) ReqShare(i) SendReqS(i),RecvReqS(i),SendInval(j),SendGntS(i),RecvGntS(i) Precedence between subflows and rules SendInval(j) must have finished before SendGntS(i) can happen (for process i) Constraints from Flows

Lemmas from Flows Let r:  ! a appear in flows f 1,..,f n Find precedence constraints C 1 (r,f 1 ),..,C n (r,f n ) Let pre(r) = C 1 (r,f 1 ) Ç.. Ç C n (r,f n ) Lemma:  ) pre(r)

Deriving Lemmas from Flows We can easily convert message flows into invariants –Our experiments indicate the resulting invariants are very powerful Advantages: –Message flows are readily available in design documents –Easy to understand Flows are local and linear No low level details of the protocol –Valuable validation collateral A German Flow ReqShare: SendReqS,RecvReqS,SendInval,SendGntS,RecvGntS invariant "Lemma_1" forall i : NODE do Chan3[i].Cmd = InvAck & CurCmd != Empty & ExGntd = true -> Chan3[i].Data = AuxData & forall j : NODE do j != i -> Cache[j].State != E & Chan2[j].Cmd != GntE & Chan3[j].Cmd != InvAck

Modified CMP Flow Design Doc Add aux and Flow lemmas Flows P(N) P a (N) Abstract Strengthen Model Check Invent Lemma PAPA Done or Real Cex spurious cex P # (N)

Experimental Results We applied our method to two standard examples –German and Flash –Verified both control and data property –Compared against CTC German –3 flows and 2 lemmas added manually –Lemmas slightly simpler than ones in CTC Flash –6 flows and 2 lemmas in contrast to > 5 lemmas in CTC one trivial and one from CTC paper –Lemma complexity reduced by 75% –One auxiliary variable in contrast to 4 in CTC paper Different from flow auxiliary variables This helps our running times as well: couple of minutes compared to couple of hours in the CTC work

Conclusion/ Future Work A powerful new method for parameterized verification based on (i)the CMP method and (ii)invariants from Flows CMP Method: (i) We have simplified and generalized the CMP method (ii) Allows more abstractions than simple data type reduction Thus, more widely applicable Flows: A new way to derive invariants for concurrent systems Look for implicit partial orders on system events!

Conclusion/Future Work More can be done with flows: Online monitoring to see all traces conform to flows Extend flows to other distributed systems Flows for shared memory systems using other types of system events… Learn flows automatically…

ijDir ReqS RecvReqS SendInv GntS SendInvAck RecvGntS RecvInvAck Precedence between subflows and rules All instances of SendInval(j) must have finished before SendGntS(i) can happen (for process i) Precondition for proc i firing rl n occuring after sfl(k,l) in flow fl C 2 (rl n,fl): 8 i. 8 aux 2 Aux(i). aux  (sfl,_) Constraints from Flows

CMP method The hardest part is coming up with lemmas –User has to supply “lemmas” Supplying lemmas is easier than supplying inductive invariants –We just have to constrain the Other process –Lemmas don’t have to be inductive This is what makes the method tick

Our Approach Consists of two key elements CMP Method: A general framework for reasoning about systems with replication Flow based Invariants: A new method for discovering invariants for concurrent systems These are applicable to concurrent systems in general

Refinement with Lemmas Parameterized system is strengthened with the lemmas –Data type reduction is applied as usual –The resulting abstract model is more refined than previously Behavior of Other restricted by the states of processes 1 and 2