counterexample guided invariant discovery for parameterized cache coherence verification sudhindra...
Post on 22-Dec-2015
223 views
TRANSCRIPT
Counterexample Guided Invariant Discovery for Parameterized Cache Coherence
Verification
Sudhindra Pandav
Konrad Slind
Ganesh Gopalakrishnan
Motivation
• Parameterized verification methods are of growing importance for large scale verification
• Despite the current state of art, parameterized verification – still highly manual and ingenious process – almost inapplicable for large system verification
• Using the current technology standards, can we make the verification process at usage level– more easy, more structured and more practical?
• Symbiosis --- can we benefit from system designer’s insights?
Contributions
• Invariant discovery for parameterized verification of safety properties
• Based on syntactic analysis of counterexamples to discover only relevant invariants
• Heuristics for directory-based cache coherence protocols (important class of parameterized systems) to minimize the number of predicates in the generated invariants
• Case studies: German, FLASH, German-Ring.
Inductive Invariant Checking: Basics
• Let θ be the initial state formula.
• Let δ be the transition formula.
• Let P be the property to be proved.
• Generate an inductive invariant Q s.t – θ=> P– Q /\ δ => Q’– Q => P
• How to generate Q ?
Inductive Invariant Checking: Practice
s
t
General State Verification:For all states s & t, such that s∈ R, t ∈R, verify that the property P(s) => P(t)
all states
• diagrams not up to scale
Reachable states(R)
initial states
(I)
Auxiliary invariantQ
Inductive invariant checking:• I Q⊂• Q(s) => Q(t)• Q(s) /\ P(s) => P(t)
System Model
• We model the system as a tuple <V, , > where V = set of system variables = initial state formula = set of rules of form: g => a, where
g = boolean condition(guard)a = next state assignment of state variables(action)
• We also have a set of input variables I, which are assigned arbitrary values in each step of operation.– The guard g consists of variables on (V U I)
• Expressions are logical formulae over the theory of equality and uninterpreted functions– Values can be integers, booleans, functions (integer arrays) or
predicates (boolean arrays).
Property
• Safety properties we verify are of form:X. A(X) => C(X)where– X is the set of variables (index variables)– A is the antecedent– C is the consequent
• Example:– i,j. ((i != j) & (cache(i) = exclusive)) => (cache(j) =
invalid) ;
Invariant Discovery Process: Counterexample Analysis Overview
• Since we start from a general state, we are bound to get failure cases
• Failure cases classified into three possible classes
• Syntactic analysis of failure case:– Pick relevant predicates from
• Predicates in the property• Predicates in the transition rule• Interpretation to input variables (I) and index variables (X)
– Construct auxiliary invariant by substituting in the formula suggested for the corresponding failure class
Counterexample
• Counterexample is a trace consisting of two states and a transition rule that leads one state to another, which violates the property.
• Formally, a counterexample C can be
expressed as a tuple <s, , t >, where
– s is the initial state interpretation
– t is the next state interpretation
– is the transition rule of form: g => a
Failure Classes
• Counterexample C = <s, , t >• Property P: X.A(X) => C(X)• Since, the initial state satisfies the property and
the next state violates it, we can classify counterexamples into three different classes.– (s |= A, s |= C) (t |= A, t !|= C)– (s !|= A, s !|= C) (t |= A, t !|= C)– (s !|= A, s |= C) (t |= A, t !|= C)
• We analyze each case and suggest a formula to construct auxiliary invariant
Case I: (s |= A, s |= C) (t |= A, t !|= C)
s t
AC
A~C
A => ~g
SC(A,s)
SC(g,s
)
• Candidate invariant generated: SC(A, s) => ~SC(g,s)
where SC is the satisfying core under interpretation s.• SC can be easily computed from the structure of formula
g
Case II: (s !|= A, s !|= C) (t |= A, t !|= C)
s t
~A~C
A~C
a
retains
VC(C, s)
SC(g, s)
•Candidate invariant generated:
~VC(C,s) => ~SC(g,s) where VC is the violating core under interpretation s.•VC can be easily computed from the structure of formula
~C => ~g
g
Case III: (s !|= A, s |= C) (t |= A, t !|= C)
s tg
~AC
A~C
a
a
•Probably a concrete counterexample, as the action assigns next state values to variables in both A and C s.t they contradict.• helps identify errors in models
Example: German protocol
• i,j. cache(i) = exclusive => ch2(j) != grant_sh
• Counterexample:Start state
• j = curr_client• cache(i) = exclusive• ch2(j) = empty• excl_granted = F
Next state
• ch2(j) = grant_sh• cache(i) = exclusive
rule 9
(current_cmd = req_sh) /\ ~excl_granted /\ ch2(curr_client) = empty => cache(curr_client) = grant_sh; …• type I counterexample: SC(A, s) => ~SC(g,s)
i,j. cache(i) = exclusive => ~((current_cmd = req_sh) /\ ~excl_granted /\ ch2(j) = empty)
Filtering Heuristics
• Guards of transition rules are very much complex, containing many predicates.– More the number of predicates in an auxiliary
invariant, more the number of counterexamples
• Usage-specific heuristics to filter relevant predicates in a structured way
• We suggest heuristics for directory based cache coherence protocols based on empirical observations
Heuristics for dir based cache coherence protocols
• Order predicates in guard depending on type of the rule (R), msg type (m), client type (c) and state variables.
• Type of rules:– P-rule: initiated by requesting node– N-rule: initiated by msg from network
• Type of msgs:– Request: req msg from caching node to home node– Grant: msg from home to caching node, acks, …
• State variables:– local: variables describing state of cache– directory: variables describing directory– environment: variables describing global state– channel: variables describing msg on network channels
• Such categorization is natural for designers.
Filtering Heuristics for dir based cache coherence protocols
Rule ( R ) Msg type (m) Client type ( c ) Filter: pick predicates on
P-rule request home local variablesremote directory variables
N-rule request home (1) directory variables(2) environment variables
remote(1) channel variables describing msg type(2) channel variables describing sender of msg
grant -channel variables describing msg type
Example: German protocol
• i,j. cache(i) = exclusive => ch2(j) != grant_sh
• Counterexample:Start state
• j = curr_client• cache(i) = exclusive• ch2(j) = empty• excl_granted = F
Next state
• ch2(j) = grant_sh• cache(i) = exclusive
rule 9
(current_cmd = req_sh) /\ ~excl_granted /\ ch2(curr_client) = empty => cache(curr_client) = grant_sh; …
• type I counterexample: SC(A, s) => ~SC(g,s) i,j. cache(i) = exclusive => ~((current_cmd = req_sh)
/\ ~excl_granted /\ ch2(j) = empty) • R = N-rule, m = request, c = home select predicates on dir variables• i,j. cache(i) = exclusive => ~excl_granted
Results / Comparison
Protocol Property verified # invariants # predicates Time #invariants (Lahiri)# predicates
(Lahiri) Time
German mutex 9 13 2.16s 29 (manual) 8 hours1 (single indexed, auxiliary variable) 121 (double indexed) 28 2813s
mutex 7 9 4.71sdata consistency 22 18.68s
German-Ring mutex 2FLASH predicate explosion
data consistency 11 2.84s
Conclusions
• Counterexample guided invariant discovery for safety property verification of parameterized systems.
• Simple heuristics to pick relevant predicates from guards of directory based cache protocols.
• Structured way of using verification technology for practical verification.
• Applied our methods to cache protocols from small to large scale examples.
• Future Work:– Automation
• Counterexample analysis steps can be automated
– Application to other large examples
References• Counter-example based predicate discovery in predicate abstraction
[Das et.al., FMCAD’02]• Parameterized verification of a cache coherence protocol [Baukus
et.al., VMCAI’02]• A simple method for parameterized verification of cache coherence
protocols [Ching-Tsun Chou et.al., FMCAD’04]• Indexed predicate discovery for unbounded system verification
[Lahiri et.al., CAV’04]• Automatic deductive verification with invisible invariants [Pnueli
et.al., TACAS’01]• Empirically efficient verification for a class of infinite state systems
[Bingham et.al., TACAS’02]• A synthesizer of inductive assertions [German et.al., IEEE trans.’75]
System Operation
At each step of operation,• Input variables are assigned arbitrary values
• A rule ∈ is nondeterministically selected for execution
• If the guard g is enabled (true), then next state values are assigned to state variables in the action a.– State variables which are not assigned in action
retain their values.
• Depending on the structure of the counterexample, we construct an auxiliary invariant from – those predicates in the property P, which
have been violated– predicates from the guard and ITE (“if-then-
else”) conditions in the action