Counterexample Guided Invariant Discovery for Parameterized Cache Coherence Verification Sudhindra Pandav Konrad Slind Ganesh Gopalakrishnan
Counterexample Guided Invariant Discovery for Parameterized Cache Coherence
Verification
Sudhindra Pandav
Konrad Slind
Ganesh Gopalakrishnan
Motivation
• Parameterized verification methods are of growing importance for large scale verification
• Despite the current state of art, parameterized verification – still highly manual and ingenious process – almost inapplicable for large system verification
• Using the current technology standards, can we make the verification process at usage level– more easy, more structured and more practical?
• Symbiosis --- can we benefit from system designer’s insights?
Contributions
• Invariant discovery for parameterized verification of safety properties
• Based on syntactic analysis of counterexamples to discover only relevant invariants
• Heuristics for directory-based cache coherence protocols (important class of parameterized systems) to minimize the number of predicates in the generated invariants
• Case studies: German, FLASH, German-Ring.
Inductive Invariant Checking: Basics
• Let θ be the initial state formula.
• Let δ be the transition formula.
• Let P be the property to be proved.
• Generate an inductive invariant Q s.t – θ=> P– Q /\ δ => Q’– Q => P
• How to generate Q ?
Inductive Invariant Checking: Practice
s
t
General State Verification:For all states s & t, such that s∈ R, t ∈R, verify that the property P(s) => P(t)
all states
• diagrams not up to scale
Reachable states(R)
initial states
(I)
Auxiliary invariantQ
Inductive invariant checking:• I Q⊂• Q(s) => Q(t)• Q(s) /\ P(s) => P(t)
System Model
• We model the system as a tuple <V, , > where V = set of system variables = initial state formula = set of rules of form: g => a, where
g = boolean condition(guard)a = next state assignment of state variables(action)
• We also have a set of input variables I, which are assigned arbitrary values in each step of operation.– The guard g consists of variables on (V U I)
• Expressions are logical formulae over the theory of equality and uninterpreted functions– Values can be integers, booleans, functions (integer arrays) or
predicates (boolean arrays).
Property
• Safety properties we verify are of form:X. A(X) => C(X)where– X is the set of variables (index variables)– A is the antecedent– C is the consequent
• Example:– i,j. ((i != j) & (cache(i) = exclusive)) => (cache(j) =
invalid) ;
Invariant Discovery Process: Counterexample Analysis Overview
• Since we start from a general state, we are bound to get failure cases
• Failure cases classified into three possible classes
• Syntactic analysis of failure case:– Pick relevant predicates from
• Predicates in the property• Predicates in the transition rule• Interpretation to input variables (I) and index variables (X)
– Construct auxiliary invariant by substituting in the formula suggested for the corresponding failure class
Counterexample
• Counterexample is a trace consisting of two states and a transition rule that leads one state to another, which violates the property.
• Formally, a counterexample C can be
expressed as a tuple <s, , t >, where
– s is the initial state interpretation
– t is the next state interpretation
– is the transition rule of form: g => a
Failure Classes
• Counterexample C = <s, , t >• Property P: X.A(X) => C(X)• Since, the initial state satisfies the property and
the next state violates it, we can classify counterexamples into three different classes.– (s |= A, s |= C) (t |= A, t !|= C)– (s !|= A, s !|= C) (t |= A, t !|= C)– (s !|= A, s |= C) (t |= A, t !|= C)
• We analyze each case and suggest a formula to construct auxiliary invariant
Case I: (s |= A, s |= C) (t |= A, t !|= C)
s t
AC
A~C
A => ~g
SC(A,s)
SC(g,s
)
• Candidate invariant generated: SC(A, s) => ~SC(g,s)
where SC is the satisfying core under interpretation s.• SC can be easily computed from the structure of formula
g
Case II: (s !|= A, s !|= C) (t |= A, t !|= C)
s t
~A~C
A~C
a
retains
VC(C, s)
SC(g, s)
•Candidate invariant generated:
~VC(C,s) => ~SC(g,s) where VC is the violating core under interpretation s.•VC can be easily computed from the structure of formula
~C => ~g
g
Case III: (s !|= A, s |= C) (t |= A, t !|= C)
s tg
~AC
A~C
a
a
•Probably a concrete counterexample, as the action assigns next state values to variables in both A and C s.t they contradict.• helps identify errors in models
Example: German protocol
• i,j. cache(i) = exclusive => ch2(j) != grant_sh
• Counterexample:Start state
• j = curr_client• cache(i) = exclusive• ch2(j) = empty• excl_granted = F
Next state
• ch2(j) = grant_sh• cache(i) = exclusive
rule 9
(current_cmd = req_sh) /\ ~excl_granted /\ ch2(curr_client) = empty => cache(curr_client) = grant_sh; …• type I counterexample: SC(A, s) => ~SC(g,s)
i,j. cache(i) = exclusive => ~((current_cmd = req_sh) /\ ~excl_granted /\ ch2(j) = empty)
Filtering Heuristics
• Guards of transition rules are very much complex, containing many predicates.– More the number of predicates in an auxiliary
invariant, more the number of counterexamples
• Usage-specific heuristics to filter relevant predicates in a structured way
• We suggest heuristics for directory based cache coherence protocols based on empirical observations
Heuristics for dir based cache coherence protocols
• Order predicates in guard depending on type of the rule (R), msg type (m), client type (c) and state variables.
• Type of rules:– P-rule: initiated by requesting node– N-rule: initiated by msg from network
• Type of msgs:– Request: req msg from caching node to home node– Grant: msg from home to caching node, acks, …
• State variables:– local: variables describing state of cache– directory: variables describing directory– environment: variables describing global state– channel: variables describing msg on network channels
• Such categorization is natural for designers.
Filtering Heuristics for dir based cache coherence protocols
Rule ( R ) Msg type (m) Client type ( c ) Filter: pick predicates on
P-rule request home local variablesremote directory variables
N-rule request home (1) directory variables(2) environment variables
remote(1) channel variables describing msg type(2) channel variables describing sender of msg
grant -channel variables describing msg type
Example: German protocol
• i,j. cache(i) = exclusive => ch2(j) != grant_sh
• Counterexample:Start state
• j = curr_client• cache(i) = exclusive• ch2(j) = empty• excl_granted = F
Next state
• ch2(j) = grant_sh• cache(i) = exclusive
rule 9
(current_cmd = req_sh) /\ ~excl_granted /\ ch2(curr_client) = empty => cache(curr_client) = grant_sh; …
• type I counterexample: SC(A, s) => ~SC(g,s) i,j. cache(i) = exclusive => ~((current_cmd = req_sh)
/\ ~excl_granted /\ ch2(j) = empty) • R = N-rule, m = request, c = home select predicates on dir variables• i,j. cache(i) = exclusive => ~excl_granted
Results / Comparison
Protocol Property verified # invariants # predicates Time #invariants (Lahiri)# predicates
(Lahiri) Time
German mutex 9 13 2.16s 29 (manual) 8 hours1 (single indexed, auxiliary variable) 121 (double indexed) 28 2813s
mutex 7 9 4.71sdata consistency 22 18.68s
German-Ring mutex 2FLASH predicate explosion
data consistency 11 2.84s
Conclusions
• Counterexample guided invariant discovery for safety property verification of parameterized systems.
• Simple heuristics to pick relevant predicates from guards of directory based cache protocols.
• Structured way of using verification technology for practical verification.
• Applied our methods to cache protocols from small to large scale examples.
• Future Work:– Automation
• Counterexample analysis steps can be automated
– Application to other large examples
References• Counter-example based predicate discovery in predicate abstraction
[Das et.al., FMCAD’02]• Parameterized verification of a cache coherence protocol [Baukus
et.al., VMCAI’02]• A simple method for parameterized verification of cache coherence
protocols [Ching-Tsun Chou et.al., FMCAD’04]• Indexed predicate discovery for unbounded system verification
[Lahiri et.al., CAV’04]• Automatic deductive verification with invisible invariants [Pnueli
et.al., TACAS’01]• Empirically efficient verification for a class of infinite state systems
[Bingham et.al., TACAS’02]• A synthesizer of inductive assertions [German et.al., IEEE trans.’75]
System Operation
At each step of operation,• Input variables are assigned arbitrary values
• A rule ∈ is nondeterministically selected for execution
• If the guard g is enabled (true), then next state values are assigned to state variables in the action a.– State variables which are not assigned in action
retain their values.
• Depending on the structure of the counterexample, we construct an auxiliary invariant from – those predicates in the property P, which
have been violated– predicates from the guard and ITE (“if-then-
else”) conditions in the action