INVARIANTS FOR FINITE INSTANCES AND BEYOND October, 21 st 2013 Sylvain Conchon, Amit Goel, Sava Kristi´ c, Alain Mebsout , Fatiha Za¨ ıdi LRI, Universit´ e Paris-Sud Strategic CAD Labs, Intel Corporation
Challenge How to prove safety of industrial size protocols like FLASH for an arbitrary number of processes ? 2
Challenge How to prove safety of industrial size protocols like FLASH for an arbitrary number of processes ? ◮ automatically 2
The FLASH protocol Stanford FLASH multiprocessor architecture (1994) ◮ Cache-coherence shared memory ◮ High-performance message passing ◮ Industrial size: 67 million states for 4 processes (28,000 states for German) 3
The FLASH protocol Stanford FLASH multiprocessor architecture (1994) ◮ Cache-coherence shared memory ◮ High-performance message passing ◮ Industrial size: 67 million states for 4 processes (28,000 states for German) Who proved the protocol? ◮ Park and Dill, 1996, PVS proof ◮ Das, Dill and Park, 1999, by predicate abstraction ◮ McMillan, 2001, by compositional model checking ◮ Chou, Mannava, Park, 2004, CMP method inspired by McMillan’s work ◮ Talapur and Tuttle, 2008, message-flows extension of CMP None of these proofs are purely automatic 3
Solutions ◮ Model checking of parameterized systems ◮ Decidable fragment ◮ Cubicle implements backward reachability 4
Solutions ◮ Model checking of parameterized systems ◮ Decidable fragment ◮ Cubicle implements backward reachability Does it work ? 4
Some benchmarks Cubicle CMurphi Szymanski at 0.30s 8.04s (8) 5m12s (10) 2h50m (12) German Baukus 7.03s 0.74s (4) 19m35s (8) 4h49m (10) German.CTC 3m23s 1.83s (4) 43m46s (8) 12h35m (10) German pfs 3m58s 0.99s (4) 22m56s (8) 5h30m (10) Chandra-Toueg 2h01m 5.68s (4) 2m58s (5) 1h36m (6) 5
Some benchmarks Cubicle CMurphi Szymanski at 0.30s 8.04s (8) 5m12s (10) 2h50m (12) German Baukus 7.03s 0.74s (4) 19m35s (8) 4h49m (10) German.CTC 3m23s 1.83s (4) 43m46s (8) 12h35m (10) German pfs 3m58s 0.99s (4) 22m56s (8) 5h30m (10) Chandra-Toueg 2h01m 5.68s (4) 2m58s (5) 1h36m (6) Szymanski na T.O. 0.88s (4) 8m25s (6) 7h08m (8) Flash nodata O.M. 4.86s (3) 3m33s (4) 2h46m (5) Flash O.M. 1m27s (3) 2h15m (4) O.M. (5) O.M. > 20 GB T.O. > 20 h 5
How to scale ? ◮ Reduce the state space to explore ◮ Invariants for parameterized case ◮ Interesting behaviors often observable on small instances 6
Invariants inference Problem: Invariants often harder to prove than original property 7
Invariants inference Problem: Invariants often harder to prove than original property Idea: use finite instances to infer invariants for parametrized case ◮ Insert and check on the fly in backward reachability loop ◮ Backtrack if necessary BRAB: B ackward R eachability with A pproximations and B acktracking 7
Backward reachability algorithm I U 8
Backward reachability algorithm I Q V U 8
Backward reachability algorithm I Q V U 8
Backward reachability algorithm I Q V U 8
Backward reachability algorithm I Q V U 8
Backward reachability algorithm I Q V U 8
Backward reachability algorithm I Q V U 8
Backward reachability algorithm I Q V U 8
Backward reachability algorithm I V U 8
BRAB: intuition I U 9
BRAB: intuition I 2 U 9
BRAB: intuition I 2 2 U 9
BRAB: intuition I 2 2 Q V U 9
BRAB: intuition I 2 2 ϕ Q V U 9
BRAB: intuition I 2 2 candidate Q V U 9
BRAB: intuition I 2 2 Q V U 9
BRAB: intuition I 2 2 Q Q V V U 9
BRAB: intuition I 2 2 ϕ Q Q V V U 9
BRAB: intuition I 2 2 Q Q V V U 9
BRAB: intuition I Q 2 2 V U 9
BRAB: intuition I Q 2 2 V U 9
BRAB: intuition I Q 2 2 V U 9
BRAB: intuition I Q 2 2 V U 9
BRAB: intuition I 2 2 U 9
BRAB: intuition I 2 2 Q V U 9
BRAB: intuition I 2 2 Q V U 9
BRAB: intuition I 2 2 Q V U 9
BRAB: intuition I 2 2 Q V U 9
BRAB: intuition I 2 2 V U 9
Framework ◮ Symbolic framework for parameterized systems ◮ States : formulas in a decidable fragment of FOL ◮ Pre-image effectively computable ◮ Post-image effectively computable for a finite instance 10
Framework ◮ Symbolic framework for parameterized systems ◮ States : formulas in a decidable fragment of FOL ◮ Pre-image effectively computable ◮ Post-image effectively computable for a finite instance In Cubicle → array-based transition systems 10
Example: German -ish cache coherence protocol Client i : E Cache [ i ] ∈ { E , S , I } Exg := true Exg := false Directory: Shr [ i ] := false Cmd ∈ { rs , re , ǫ } Shr [ i ] := true S Exg := true Exg := false Shr [ i ] := true Shr [ i ] := false Ptr ∈ proc Shr [ i ] ∈ { true , false } Exg ∈ { true , false } I ∀ i. Cache [ i ] = I ∧ ¬ Shr [ i ] ∧ ¬ Exg ∧ Cmd = ǫ Initial states: ∃ i, j. i � = j ∧ Cache [ i ] = E ∧ Cache [ j ] � = I ? Unsafe states: (cubes) 11
Example: German -ish cache coherence protocol Client i : E Cache [ i ] ∈ { E , S , I } Exg := true Exg := false Directory: Shr [ i ] := false Cmd ∈ { rs , re , ǫ } Shr [ i ] := true S Exg := false Exg := true Shr [ i ] := true Shr [ i ] := false Ptr ∈ proc Shr [ i ] ∈ { true , false } Exg ∈ { true , false } I t 5 : ∃ i. Ptr = i ∧ Cmd = rs ∧ ¬ Exg ∧ Cmd ′ = ǫ ∧ Shr ′ [ i ] ∧ Cache ′ [ i ] = S 11
BRAB algorithm T : transitions I : inital states U : unsafe states (cubes) BRAB (): B := ∅ ; Kind (U) := Orig; From (U) := U; M := FWD ( d max , k ) ; while BWDA() = unsafe do if Kind ( F ) = Orig then return unsafe B := B ∪ { From ( F ) } ; return safe 12
BRAB algorithm T : transitions I : inital states U : unsafe states (cubes) BWD (): V := ∅ ; push( Q , U ) ; while not empty( Q ) do ϕ := pop( Q ); if ϕ ∧ I sat then return unsafe if ¬ ( ϕ | = � ψ ∈ V ψ ) then V := V ∪ { ϕ } ; push( Q , pre T ( ϕ )); return safe 13
BRAB algorithm T : transitions I : inital states U : unsafe states (cubes) BWDA (): V := ∅ ; push( Q , U ) ; while not empty( Q ) do ϕ := pop( Q ); if ϕ ∧ I sat then return unsafe if ¬ ( ϕ | = � ψ ∈ V ψ ) then V := V ∪ { ϕ } ; push( Q , Approx T ( ϕ ) ); return safe 13
BRAB algorithm T : transitions I : inital states U : unsafe states (cubes) Approx T ( ϕ ): foreach ψ in candidates ( ϕ ) do if ψ �∈ B ∧ M � � ψ then Kind ( ψ ) := Appr ; . . . return ψ . . . return pre T ( ϕ ) 14
Example: BRAB on German -ish ¬ Exg Cmd = ǫ ∀ i. Cache [ i ] = I ¬ Shr [ i ] t 2 ( #2 ) t 1 ( #1 ) t 2 ( #1 ) t 1 ( #2 ) t 6 ( #2 ) t 6 ( #1 ) t 5 ( #2 ) t 5 ( #1 ) t 1 ( #2 ) t 2 ( #1 ) t 1 ( #1 ) t 2 ( #2 ) t 2 ( #2 ) t 2 ( #1 ) t 1 ( #1 ) ∃ i � = j. Cache [ i ] = E Cache [ j ] � = I 15
Example: BRAB on German -ish ¬ Exg Cmd = ǫ Cache [ #1 ] = I Cache [ #2 ] = I ¬ Shr [ #1 ] t 2 ( #2 ) ¬ Shr [ #2 ] t 1 ( #1 ) t 2 ( #1 ) t 1 ( #2 ) t 6 ( #2 ) t 6 ( #1 ) t 5 ( #2 ) t 5 ( #1 ) t 1 ( #2 ) t 2 ( #1 ) t 1 ( #1 ) t 2 ( #2 ) t 2 ( #2 ) t 2 ( #1 ) t 1 ( #1 ) ∃ i � = j. Cache [ i ] = E Cache [ j ] � = I 15
Example: BRAB on German -ish ¬ Exg Cmd = ǫ Cache [ #1 ] = I Cache [ #2 ] = I ¬ Shr [ #1 ] t 2 ( #2 ) ¬ Shr [ #2 ] t 1 ( #1 ) t 2 ( #1 ) t 1 ( #2 ) ¬ Exg ¬ Exg ¬ Exg ¬ Exg Cmd = re Cmd = re Cmd = rs Cmd = rs Ptr = #2 Ptr = #1 Ptr = #2 Ptr = #1 Cache [ #1 ] = I Cache [ #1 ] = I Cache [ #1 ] = I Cache [ #1 ] = I Cache [ #2 ] = I Cache [ #2 ] = I Cache [ #2 ] = I Cache [ #2 ] = I ¬ Shr [ #1 ] ¬ Shr [ #1 ] ¬ Shr [ #1 ] ¬ Shr [ #1 ] ¬ Shr [ #2 ] ¬ Shr [ #2 ] ¬ Shr [ #2 ] ¬ Shr [ #2 ] t 6 ( #2 ) t 6 ( #1 ) t 5 ( #2 ) t 5 ( #1 ) Exg Exg ¬ Exg Cmd = ǫ Cmd = ǫ Cmd = ǫ Ptr = #2 Ptr = #1 Ptr = #2 . . . Cache [ #1 ] = I Cache [ #1 ] = E Cache [ #1 ] = I Cache [ #2 ] = E Cache [ #2 ] = I Cache [ #2 ] = S ¬ Shr [ #1 ] ¬ Shr [ #1 ] Shr [ #1 ] Shr [ #2 ] ¬ Shr [ #2 ] Shr [ #2 ] t 1 ( #2 ) t 2 ( #1 ) t 1 ( #1 ) t 2 ( #2 ) t 1 ( #1 ) t 2 ( #2 ) t 2 ( #1 ) Exg Cmd = rs Ptr = #2 ∃ i � = j. Cache [ i ] = E Cache [ #1 ] = E Cache [ j ] � = I Cache [ #2 ] = I Shr [ #1 ] ¬ Shr [ #2 ] 15
Recommend
More recommend