Parameterized Verification of Deadlock Freedom in Symmetric Cache - PowerPoint PPT Presentation

Parameterized Verification of Deadlock Freedom in Symmetric Cache Coherence Protocols Brad Bingham 1 Jesse Bingham 2 Mark Greenstreet 1 1 University of British Columbia, Canada 2 Intel Corporation, U.S.A. November 2, 2011 FMCAD

Outline What is Deadlock-Freedom? 1 Mixed Abstractions for Parameterized Systems 2 Tightening Mixed Abstractions 3 Results 4 Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 2 / 20

The Problem: Deadlock-Freedom reachable init quiescent “Is it deadlock-free?” ≡ “Is there a path from each reachable state to a quiescent state?” “quiescent” ≡ “nothing is pending” In CTL: AG EF q (more generally, AG ( p → EF q )) Cheap to model check; rules out some liveness bugs; avoids fairness Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 3 / 20

Overview: Parameterized Systems A system S = ( S , I , T ) is a tuple of states S , initial states I and transitions T A parameterized system is a mapping from the naturals to systems. S ( N ) = ( S ( N ) , I ( N ) , T ( N )). In cache coherence protocols, the parameter might correspond to “number of caches”, “number of address”, “length of some buffer”, etc. In our examples, it’s “number of caches”. Verifying a safety property of S ( N ) for all N is algorithmically undecidable. Previous work addresses this problem. One promising approach is based on compositional reasoning (CEGAR + Human Ingenuity). [McMillan99], [Chou+04], [O’Leary+09] Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 4 / 20

Parameterized Cache Symmetric cache 1 cache 2 cache N Interconnect directory Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 5 / 20

Parameterized Cache Abstraction Overapproximates behavior of caches 3, ..., N; no local state "Others" cache 1 cache 2 Interconnect directory Finite-state, overapproximate abstraction of S ( N ) for all N > 2 Suitable for model checking Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 6 / 20

Abstraction Relation Concrete System S ( N ) Abstract System A Reachable states: Reachable states: Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 7 / 20

Abstraction Relation Concrete System S ( N ) Abstract System A Reachable states: Reachable states: Overapproximation: concretization � Abstraction allows us to infer concrete safety properties � Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 7 / 20

Abstraction Relation Concrete System S ( N ) Abstract System A Reachable states: Reachable states: Overapproximation: Quiescent states: Quiescent states: 2 2 1 3 3 1 concretization � Abstraction allows us to infer concrete safety properties � × Cannot infer concrete deadlock-freedom properties � Paths don’t (necessarily) concretize Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 7 / 20

Underapproximate Transitions Suppose ( s , s ′ ) is an abstract transition where every reachable state in the concretization of state s has a path to some state in the concretization of state s ′ . This transition is called underapproximate . Concrete System S ( N ) Abstract System A Reachable states: Reachable states: Overapproximation: concretization underapprox s ′ s concretization Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 8 / 20

Mixed Abstraction A Mixed Abstraction[LT88][Dams+97] is like an abstract transition system, but has two sets of transitions: overapproximate ( O ) and underapproximate ( U ). Model checking AG( p → EF q ) in mixed abstraction M : for each O -reachable p -state, find a U -path to some q -state. O−path U−path s s’ O O O U U initial state p−state q−state Theorem If M | = AG( p → EF q ) , then S ( N ) | = AG( p → EF q ) . Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 9 / 20

Insufficiency What if model checking fails? O−path U−path s s’ O O O U U p−state initial state NOT a q−state; no U transitions out of s’ Perhaps O is too weak 1 State s has no reachable concretization in S ( N ) Remedied by strengthening O (covered by previous literature in parameterized safety) Perhaps U is too strong 2 A U -path from s gets “stuck” before a q -state is reached Proving that transitions are underapproximate is not addressed by extensive previous work; this is our focus Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 10 / 20

Strategy Assume a symmetric, parameterized system S ( N ) expressed with guarded commands (or “rules”); assume an overapproximate abstraction of S ( N ) Some restrictions to syntactic form Use the abstraction as a starting point for the mixed abstraction Approach: Use syntactic analysis to find “trivially” underapproximate transitions U Then: Prove selected guarded commands of O are in fact underapproximate by leveraging symmetry and model checking the mixed abstraction. The approach depends on the syntactic form of the rule All of our methods rely on “path symmetry” Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 11 / 20

Concrete States parametric variables, ranging over { 1 , 2 , ..., N } P × global boolean variables G ranging over { T, F } × L [ 1 ] × L [ 2 ] × L [ 3 ] L [ i ] symmetric local variables × ranging over { T, F } × L [ N ] Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 12 / 20

Abstract States parametric variables, ranging over { 1 , 2 , ..., N } { 1 , 2 , Other } P × global boolean variables G ranging over { T, F } × L [ 1 ] × L [ 2 ] × L [ 3 ] L [ i ] symmetric local variables × ranging over { T, F } × L [ N ] HIDDEN Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 13 / 20

(Symmetric) Guarded Commands ⇒ Command Guard rule r 1 fires rule r 3 fires ptr = 1 ptr = 1 ptr = 3 ptr = 3 × × × × G ′ G ′ G ∈ A G ∈ A × × × × L ′ [ 1 ] L [ 1 ] ∈ B L [ 1 ] L [ 1 ] × × × × L [ 2 ] L [ 2 ] L [ 2 ] L [ 2 ] × × × × L ′ [ 3 ] L [ 3 ] L [ 3 ] L [ 3 ] ∈ B × × × × × × × × L [ N ] L [ N ] L [ N ] L [ N ] Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 14 / 20

(Symmetric) Guarded Commands rule r 1 fires rule r 3 fires not sure... underapprox! ptr = 1 ptr = 1 ptr = 3 ptr = 3 × × × × G ′ G ′ G ∈ A G ∈ A × × × × L ′ [ 1 ] L [ 1 ] ∈ B L [ 1 ] L [ 1 ] × × × × L [ 2 ] L [ 2 ] L [ 2 ] L [ 2 ] × × × × L ′ [ 3 ] L [ 3 ] L [ 3 ] L [ 3 ] ∈ B × × × × × × × × L [ N ] L [ N ] L [ N ] L [ N ] HIDDEN BY ABSTRACTION Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 14 / 20

Abstracted Local State: L [ ptr ] ∈ B ∧ G ∈ A rule r 3 fires ptr = 3 ptr = 3 × × G ′ G ∈ A × × L [ 1 ] L [ 1 ] × × L [ 2 ] L [ 2 ] × × L ′ [ 3 ] L [ 3 ] ∈ B × × × × L [ N ] L [ N ] Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 15 / 20

Abstracted Local State: L [ ptr ] ∈ B ∧ G ∈ A rule r 3 fires indistinguishable in abstraction ptr = 3 ptr = 3 ptr = 3 × × × G ′ G ∈ A G ∈ A × × × L [ 1 ] L [ 1 ] L [ 1 ] × × × L [ 2 ] L [ 2 ] L [ 2 ] × × × L ′ [ 3 ] L [ 3 ] / ∈ B L [ 3 ] ∈ B × × × × × × L [ N ] L [ N ] L [ N ] HIDDEN BY ABSTRACTION Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 15 / 20

Abstracted Local State: L [ ptr ] ∈ B ∧ G ∈ A rule r 3 fires indistinguishable in abstraction Model Checking Mixed Abstraction ptr = 3 ptr = 3 ptr = 3 ptr = 1 ptr = 1 × × × × × G ′ G ∈ A G ∈ A G ∈ A G ∈ A × × × × × L [ 1 ] L [ 1 ] L [ 1 ] L [ 1 ] L [ 1 ] ∈ B × × × × × L [ 2 ] L [ 2 ] L [ 2 ] L [ 2 ] L [ 2 ] × × × × × L ′ [ 3 ] L [ 3 ] / ∈ B L [ 3 ] ∈ B L [ 3 ] L [ 3 ] × × × × × × × × × × L [ N ] L [ N ] L [ N ] L [ N ] L [ N ] HIDDEN BY ABSTRACTION implied path path symmetry Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 15 / 20

Abstracted Universal Quantifier: G ∈ A ∧ ∀ i . L [ i ] ∈ B r 1 fires P P × × G ′ G ∈ A × × L [ 1 ] ∈ B L [ 3 ] × × L [ 2 ] ∈ B L [ 2 ] × × L [ 3 ] ∈ B L [ 1 ] × × × × L [ N ] ∈ B L [ N ] Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 16 / 20

Abstracted Universal Quantifier: G ∈ A ∧ ∀ i . L [ i ] ∈ B indistinguishable in abstraction r 1 fires P P P × × × G ′ G ∈ A G ∈ A × × × L [ 1 ] ∈ B L [ 1 ] ∈ B L [ 3 ] × × × L [ 2 ] ∈ B L [ 2 ] ∈ B L [ 2 ] × × × L [ 3 ] / ∈ B L [ 3 ] ∈ B L [ 1 ] × × × × × × L [ N ] / ∈ B L [ N ] ∈ B L [ N ] HIDDEN BY ABSTRACTION Bingham, Bingham, Greenstreet (UBC, Intel) Parameterized Deadlock Freedom November 2011 16 / 20