A Survey of Rely-Guarantee Approaches in Compositional Verification Murat Demirbas OSU.
-
Upload
maximilian-davis -
Category
Documents
-
view
217 -
download
0
Transcript of A Survey of Rely-Guarantee Approaches in Compositional Verification Murat Demirbas OSU.
Typical verification methods:
• Deduction:– Temporal and Modal Logic, Emerson 90– TLA, Lamport 94– UNITY Logic, Chandy & Misra 88
• Model Checking
Typical verification methods:
• non compositional
• require a global examination of the entire system
• effective on small examples, however, fail to scale up for large-scale systems
A plea for Compositional Verification
≜ any automaton with 10 states• A ≜ parallel composition of 80 of such ’s• A has 1080 states
– Greater than the # of electrons in the universe
• Now, consider the Internet …• The verification method should scale
linearly rather than exponentially in the number of components
Compositional Verification Methods:
• shift the burden of verification from the global level to the component (local) level
• so that global properties are established by composing independently verified component properties.
Compositional Verification Methods: (cont.)
• Enables us to verify whether a program meets its spec on the basis of the specs of its components (without assuming any knowledge of the interiors of those components).
Rely-Guarantee Approach
• The best studied approach to compositional verification
• A rely-guarantee spec for M is (R, G)– R: the conditions that M relies on its
environment to provide– G: the conditions that M guarantees in return
Rely-Guarantee Approach (cont.)
• The intuition for using R-G specs for M– M needs to behave correctly only when its
environment does
• M (R,G) :⊨ the environment of M violates R before M fails to satisfy G
Composition Principle
Let M be the composition of Mi s.t. iI. Ifj:: R /\ Gi Rj
i:: Mi (R⊨ i, Gi)
• /\ Gi G
ThenM (R,G)⊨
Cyclic Dependencies
output var c initially 0;input var d;loop
<c:=d>endloop
output var d initially 0;input var c;
loop<d:=c>
endloop
c
d
M1 M2
Safety properties in Rely
• M1
– R1: always d=0
– G1: always c=0
• M2
– R2: always c=0
– G2: always d=0
• M ≜ M1 || M2
• R: true
• G: always c=0 d=0
Liveness properties in Rely
• M1
– R1: eventually d=1
– G1: eventually c=1
• M2
– R2: eventually c=1
– G2: eventually d=1
• M ≜ M1 || M2
• R: true
• G: ???
Outline
1. History of compositional verification
2. Stark’s work
3. Abadi & Lamport’s work
4. Lazy composition
5. Modified Rely-Guarantee rules
6. Other work
7. Rely-Guarantee wrappers for f-t
8. Conclusion
1. History of Compositional Verification
• Compositionality in predicate logic, Frege 1923
• Sequential program verification– Inductive assertion method (non
compositional), Floyd 67– axiomatic compositional proof style, Hoare 69
History of Compositional Verification (cont.)
• Concurrent & distributed systems– Proof system for shared variable concurrency:
interference freedom test (non compositional), Owicky & Gries 76
– Temporal logic (non compositional), Pnueli 77– Rely-guarantee formalism (compositional),
Misra & Chandy 81– Rely-guarantee formalism for safety properties
in shared-memory, Jones 81, 83
Misra & Chandy: Proofs of Network of Processes
• Spec for a process Mi is “Ri | Mi | Gi”– Gi holds for empty trace– for all traces t of Mi, if Ri holds for all proper prefixes
of t, then Gi holds for all prefixes (proper & improper) of t
• R | M | G holds if – R /\ Gi /\ Rj
i:: Ri | Mi | Gi
– /\ Gi G
Hoare’s proof rule is an instance of composition principle
• Precondition: the rely of the program on the program state when the control reaches that point
• Postcondition: what the program guarantees in return if and when the control leaves that point
• Limited to the verification of safety properties only
M = M1;M2
• If – RR1, {R1}M1{G1},
– G1R2, {R2}M2{G2}, G2G
• Then {R}M{G}– R G1 G2 R1 , R G1 G2 R2
– M1 (R⊨ 1, G1), Mi (R⊨ i, Gi)
– G1 G2 G
2. Stark’s Proof Technique for Rely-Guarantee Properties
• Stark’s proof technique rules out circular dependencies in liveness conditions; one can derive global liveness properties of a system from its components’ liveness properties.
Stark’s work
• Intuition: Find a set of specs that “cuts” the dependence between a component Mi and its environment. Analogy: loop invariant
• RGi,j = what Mi guarantees to Mj = what Mj relies on Mi to provide
{RGi,j: i,jI{ext}} is a cut set:
• R /\jI RGext,j
• /\iI RGi,ext G
• (j:: /\iI{ext} RGi,j Rj )
• (i:: Gi /\jI{ext} RGi,j )
Acyclic cut sets
• If no Ri holds, then no Gi holds, hence G does not hold
m:: \/k{0...m-1} RGik, ik+1
• Finding a cut set is analogous to finding a loop invariant, no algorithm exists
Rely-Guarantee Proof Rule
• M is a program, RG is an acyclic cut set for M, R, G, and {Ri, Gi: iI}
• If (i: iI : M (⊨ Ri, Gi) )
• Then M (⊨ R, G)
Examples
• Verification of a mutual exclusion algorithm (token ring ME)
• Verification of a distributed resource allocation algorithm
• The proof technique is compared against other liveness proof techniques such as Proof Lattice Method (Lamport & Owicky), and Variant Function Method (Floyd)
3. Abadi & Lamport’s work
• Composing Specifications, 92
• Conjoining Specifications, 93
• Main thm: If all the “rely” specifications (R, i:: Ri) are safety properties, then circularity in “Composition Principle” is safe (i.e., does not lead to circular reasoning).
Stuttering Equivalence
• Specifications should allow “stuttering” steps that leave the state unchanged.
• Consider F, G. A behavior of their composition is obtained by interleaving actions from the two components.
• However, this interleaved behavior does not satisfy F, since it contains steps that do not belong to actions of F, nor does it satisfy G.
Conjoining Specs
• Parallel composition is conjunction.
• Temporal Logic of Actions
• Composition thm
• Decomposition thm
(R,G) R→≜ + G (R secures G)
• R →+ G {σ≜ RG | i: σ[i] S(R) σ[i+1] S(G) }
• S(R) :the strongest safety property containing R (i.e., safety closure of R)
• R →+ G rules out unrealizable implementations of RG where S(G) fails before the failure of S(R) can be detected by the component.
• RG R →+ G for machine realizable specs. They allow the same implementations.
Safety properties in rely specs
• R →+ G (R≜ G) (S(R) →+ S(G))
• R →+ G = S(R) →+ (S(G) (R G))
• Thus, any rely/guarantee spec can be converted to one whose rely is a pure safety property.
Composition Thm
Let M be the composition of Mi s.t. iI. Ifj:: S(R) /\ S(Gi) Rj
i:: Mi (R⊨ i, Gi) (i.e., i:: Ri →+ Gi )
• R →+ (/\ Gi G)
Then
M (R,G) ⊨ (i.e., R →+ G )
Decomposition Problem
• Let M M≜ 1 || …|| Mn, Ml M≜ l1 || …|| Ml
n.
• Prove that Ml implements M by proving
((E, /\iI Mli ) (E, /\iI Mi))
• Trivially true if (i: iI : MliMi)
• However, MliMi is not necessarily the case
in top down refinements of a system.
Decomposition
• We can relax MliMi and still reason about
one component at a time: – (i: iI: Ei Ml
iMi )
• However, the composition principle requires proving (i: iI: (/\kI Ml
k Ei)• Instead, we can avoid reasoning about the
entire low level system: – (i: iI: (/\kI Mk Ei))
Queue example
• Q1, Q2: queues of length N.• Q of length 2N+1 can be obtained by
composing Q1 and Q2.• The example is wrong
– Q1 and Q2 refer to N– Q1 and Q2 are not aware of each other
• Shankar 97 presents a buffer example very similar to the queue example
4. Lazy Composition, Shankar 97
• Difficult to apply R-G specs to composition– Gi should be strong enough to imply any potential
constraint Rj.– It is not easy to anticipate all the potential
constraints that might be placed on Mi.
• In lazy composition Gi of Mi is proved of the system Mi|| Ei where Ei captures the expected behavior of the abstract environment for Mi.
Lazy Composition (cont.)
• Gi might not hold for Mi|| Mj , however it holds for Mi|| (Mj Ei).
– Thus, the proof obligation that Mj satisfies Ei can be delayed till later.
• Lazy composition: cited as the main contribution of the paper– Same delay of proof is also possible for the
regular R-G specs.
Composition
• Let Me1= M1|| E1
• Closed co-imposition– Me
1 Me2 ≜ (M1 E2) || (M2 E1)
• Open co-imposition– Me
1 Me2 ≜ Me
1 Me2 || (E1 E2)
• Thm: [Me1Me
2] [Me1]
[Me1 Me
2] [Me1]
Elimination of Ei’s by using Refinement Proofs
• One can show that (M1 E2) || (M2 E1) || (E1 E2) is refined by
M1|| (M2 E1) || (E1 E2) to eliminate E2
• This is the main advantage of this approach– we do not have to prove G1 →+ R2
– instead we can employ a refinement proof to eliminate E2 (i.e. to satisfy R2)
5. Modified Rely-Guarantee rules, Manohar, Sivilotti 96
• M (R,G) (⊨ ≜ E:: (E||M R)⊨ (E||M ⊨G))– Thus, one has to consider all E to prove above.
• Modified Rely-Guarantee: R and G can refer only the local variables in M.
• M (R⌦ G) ⌦ (⊨ ≜ M R) ⊨ (M G) . ⊨
Modified Rely-Guarantee rules (cont.)
• Compositionality:– Let M (R G) ⊨ ⌦– Then (N:: M||N (R G) )⊨ ⌦
• Handles the verification of liveness properties easily.
Composition Thm
Let M be the composition of Mi s.t. iI. Ifj:: R ( /\i<j Ri Gi ) Rj
i:: Mi (R⊨ i G⌦ i)Then
M (R (⊨ ⌦i:: Ri Gi) )
Composition Thm: (safety props)
Let M be the composition of Mi s.t. iI. Ifi:: Ri ,Gi are safety properties j:: R /\Gi Rj
i:: Mi (R⊨ i G⌦ i)Then
M (R (⊨ ⌦i:: Ri Gi) )
6. Other work
• The need for compositional proof systems, deRoever 97– Decomposition thm Dijkstra’s verify while develop
approach
• Systematic composition of distributed objects: Processes & Sessions, Chandy & Rifkin 97– Considers Internet (anarchic system) as an application
of bottom up design using composition
Other work (cont.)
• Composition: A way to make proofs harder, Lamport 97– Decomposition thm is popular only because it
can be expressed in terms of PPL favored by CS people
– Decomposition thm is not necessary; when a system is specified using mathematics, decomposition trivially follows from math.
Other work (cont.)
• Towards a compositional approach to the design & verification of distributed systems, Charpentier&Chandy– UNITY framework– Resource allocator example
• Both top-down and bottom-up approaches used
– A component should publish its provided spec as well as different weaker specs to simplify reuse in different applications.
7. Rely-Guarantee wrappers for fault-tolerance
• Let M be the composition of Mi s.t. iI.
• Compositionality principle holds– (i:: Mi (R⊨ i, Gi)) M (R,G)⊨
– I.e., (i:: Si ) S
Rely-Guarantee wrappers (cont.)
• S’i (Fspan(R≜ i ) , Gi)
:masking F-tolerant version of Mi = M’i
• S’’i (Fspan(R≜ i ) , (Si unless Ri)S(Gi)) (Fspan(Ri ) , SiS(Gi)) :fail-safe F-tolerant version of Mi = M’’i
• S’’’i (Fspan(R≜ i ) , Si(True ↦Ri)) :nonmasking F-tolerant Mi = M’’’i
Rely-Guarantee wrappers (cont.)
• Let w’i be the wrapper to be added to Mi to get M’i (i.e., M’i ≜ w’i || Mi )
• R1: Calculate R-G specs for w’i , w’’i , w’’’i
• Si w’i = S’i then w’i ≜ Si S’i
• w’’i ≜ (Si , S’’i ) (Si , (FSpan (Ri ) S(Gi))
• w’’’i ≜ (Si , S’’i )
(Si , (FSpan (Ri ) ↦ Ri))
Proposal:
• Problem: How to calculate FSpan(Ri)?
• Using modified R-G would help – local reasoning while calculating FSpan(Ri)
– In general, we might not avoid global reasoning
• Use abstract faulty environment EFi
– Lazy composition for refinement proofs
• If F is a transient fault: FSpan(Ri) =True
Rely-Guarantee wrappers (cont.)
• R2: Prove that – (i:: S’i ) S’
– (i:: S’’i ) S’’
– (i:: S’’’i ) S’’’
• Can M be made F-tolerant by composing each Mi with wi ?
R2Need to show
j:: Rx /\ Gxi Rx
j
– Rx /\ Gxi Gx
To deduce (i:: RxiGx
i ) (Rx Gx )
• Easy for closed systems (R=True); – reuse criterion Gx
i Gj
– Ri Fspan(Rj )– Interference freedom rule might be needed for
nonmasking f-t