Automatic Non-interference Lemmas
for Parameterized Model Checking
Jesse Bingham, Intel DEG
FMCAD 2008
1
Classic CMP Approach

CMP approach [McMillan 99/01,
Chou et al. 04, Krstic 05, Lv et al 07, Li 07,
Talupur & Tuttle 08]


human writes non-interference lemmas from
counterexamples
system is iteratively strengthened with lemmas until
all lemmas and property hold
2
CMP requires human to write lemmas
Umm, me no think
possible in real
system
p0
p1
Human writes
“non-interference lemma”:
pother
i. orange  blue ( p(i ))
3
What we do

our approach removes lemma-writing burden
of human’s shoulders





start with “non-interference conjecture” False
abstract strengthened system
compute abstract reachability fixpoint
iterate, with concretized fixpoint as new conjecture
our contributions


general theory based on abstract interpretation
instantiation of theory for class of parameterized
protocols using BDDs & prototype tool
4
Roadmap
General Theory
 Symmetric Parameterized Protocols
 Case Studies/Final Thoughts

5
Theory

concrete transition system (C,I,T)
 C is the set of (concrete) states
 I  C are the initial states
 T  CC is the transition relation
 Reach(C,I,T) denotes set of reachable states
 p  C is called an invariant if Reach(C,I,T)  p
 for   C define
post[T]() = {y | x.(x,y)  T and x   }
6
Strengthening
For   C, the strengthening of (C,I,T) by , is the
transition system (C, I, T(  C)). We denote the
strengthening by T # .
Strengthen with
 = blue states
Theorem.  is an invariant of (C,I,T) if and only if  is an
invariant of T # .
7
Abstraction

finite abstract domain A along with partial
order ⊑ , forming a lattice (A,⊑)


Think of ⊑ as subset ordering on represented sets
galois connection (,) defines association
between concrete states and abstract domain
  : 2C  A
  : A  2C
  and  are order preserving
 other technical properties
8
 : Makes Abstract Posts for
Strengthened Concrete Systems (1/2)
set of concrete states
()
 :AA
Abstract post
(a.k.a abstract interpretation) of post[T # ]
9
 : Makes Abstract Posts for
Strengthened Concrete Systems (2/2)
A
()(a)
a
⊑
Abstract
Domain
(post[T#]((a))
“best” post
relative to (,)
Concrete
States
C
C
(a)
post[T#]((a))
10
The Method
Abstract
Domain
A
Concrete
States
C
Reach((Init),(
Reach((Init),(
k))
1))
Reach((Init),(
(k) ⊑ =
(property)
0))
…
Reach((Init),(k-1))
1
0 = False
2
…
k
11
Roadmap
General Theory
 Parameterized Protocols
 Case Studies/Final Thoughts

12
State variable types

let Pid denote the process IDs
 four types of variables




Bool
Pid  Bool
Pid
Pid  Pid
e.g. global FSM state
e.g. process FSM state, control
arrays indexed by Pid
e.g. global process pointer
e.g. pre-process process pointer
13
Transition relation syntax

atoms






w
(w : Bool )
x[p]
(x : Pid  Bool and quantifed var p )
y=p
(y : Pid and quantifed var p )
z[p]=q
(z : Pid  Pid and quant vars p & q)
plus any of the above with priming
transition formula syntax:
 

(e.u.0 )  (q.1 )
where 0 and 1 are (restricted) boolean combinations
of atoms
14
Protocol Abstraction

abstract domain is symmetric sets of views
 galois connection is straightfoward


similar to [Lahiri & Bryant 04]’s for universally
quantified predicate abstraction
thanks to a small model theorem & symmetry,
we can compute a best  using BDDs
15
Views [Chou et al 04]

a view only includes info regarding a small number m of
processes; Pid vars take values from {0,…,m-1,other}
Bool
View (m=2)
0
Pid  Bool
1
2
3
1
Bool
View (m=2)
3
1
Concrete state
Concrete state
0
Pid  Bool
1
2
Pid
Pid
3
other
16
Small Model Theorem
Bool
Pid
0
1
Pid  Bool
2
3
4
1
…
0
…
 -abstract away
this state in BDD
if and only if
0
n (arbitrarily big)
1
2
3
4
m+L+1 (fixed & small!)
1
…
0
…
17
Putting It All Together
i
(set of views
as BDD)
(i)
i+1 = Reach((Init),(i))
-quantify away all but first
m processes
Compute BDD for
T  (i)
of size m+L+1
Computed using BDD
techniques of
[Pnueli et al 01]
18
Non-best 

small model theorem allows for best 


can cause BDD blow-up
two orthogonal techniques allow for non-best
, which typically yields smaller BDDs

strengthen with subset of variables


also reduces small model theorem bound by 1
only strengthen “guarded commands” that depend
on abstracted state in the guards, or even fewer
19
Roadmap
General Theory
 Symmetric Parameterized Protocols
 Case Studies/Final Thoughts

20
Prototype Tool
built prototype tool using Intel’s forte formal
verification system [Seger et al 05]
 protocols modeled in forte’s language reFLect
 user specifies “ingredients”





number of concrete processes m=2
variables to constraint during strengthening
transitions to strengthen
dynamic BDD var ordering useful [Rudell 93]
21
Case Studies (1/3)

GERMAN [German 00]




“hello world” for parameterized verification
just one Pid var; no Pid Pid vars
control & data properties verified totally
automatically with “best” 
GERMAN2004




more complex than GERMAN
has Pid Pid vars (network)
previously verified by [Lv et al 07], who needed
human to add history vars
we verified the control property with non-best 
22
Case Studies (2/3)

FLASH [Kuskin et al 94]



“…if [a parameterized verification method] works on
FLASH, then there is a good chance that it will also
work on many real-world cache coherence
protocols.” [Chou et al 04]
first automatically verified by [Lv et al 07]
we verified the control property using non-best 
23
Case Studies (3/3)
outter
loop
iterations
abstract reach iterations
24
Final Thoughts

presented a method that automatically
computers non-interference lemmas




BDDs aren’t necessarily bad for protocols



general theory
applied to symmetric protocols
related to Invisible Invariants [Pnueli et al 01]
especially parameterized model checking
original work [McMillan 99/01] used SMV/BDDs
automation: intellectually pleasing…but
probably won’t scale
25
Foil graveyard…
26
Motivating Example
…
Want to prove invariance of something like:
i, j. ( yellow ( p(i ))  green( p( j )))
27
Abstract Process other
p0
p1
pother
Abstracts
behavior of
processes
{2,…,n} for
arbitrary n
 ( yellow( p(i))  green( p( j)))
Model Check:
i  0 ,1
j  0 ,1
28
Counterexample Analysis
Umm, me no think
possible in real
system
p0
p1
Human writes
“non-interference lemma”:
pother
i. orange  blue ( p(i ))
29
Guard Strengthening
p0
pother
p1
Strengthen with:
Model Check:
i. orange  blue ( p(i ))
orange  blue( p(i))

i 0,1
30
Order Preservation of Abstraction
()
Abstract
Domain
A
Concrete
States
()


C
31
Order Preservation of Concretization
a
Abstract
Domain
A
a
Concrete
States
C
(a)
(a)
32
Proving Invariants with  & 
(a different view from in the paper
& talk)
Abstracts
Reach(I,T#i)
Abstract
Domain
A
(i)
Reach((Init),(i))
Abstracts
T#i
Concrete
States
C
i
(Reach((Init),(i)))
= i+1
Theorem. i+1  i implies i
is a (concrete) invariant
33
Proving Invariants with  & 
Abstracts
T#i
Abstract
Domain
Reach((Init),(
(i))
)
A
⊑
Abstracts i
(i)
Abstracts
Reach(I,T#i)
Concrete
States
C
i
Theorem. Reach((Init),(i)) ⊑ (i)
implies i is an invariant
34
Weakening with  & 
Abstracts
Reach(I,T#i)
Abstract
Domain
A
(i)
Reach((Init),(i))
Abstracts
T#i
Concrete
States
C
i
(Reach((Init),(i)))
= i+1
35
Abstract Post ap()
A
Concrete
States
C
a
(a)
⊑
Abstract
Domain
ap(a)
(post((a)))
post((a))
36
 : Makes Abstract Posts for
Strengthened Concrete Systems
Abstract
Domain
A
Concrete
States
Abstract post image of T#
() : A  A

C
37
The Method (1/3)
Abstracts
T#i
Abstract
Domain
Reach((Init),(
(i))
)
A
⊑
|
(i)
Abstracts
Reach(I,T#i)
Concrete
States
C
i
(Reach((Init),(i)))
= i+1
38
The Method
start with 0 = False; iteratively compute 1, 2,
3,… until a provable invariant  is found
 this  is the strongest provable invariant



provable is relative to  and 
if we use  that is “best” then  is the
strongest invariant provable using 
39
Protocol Abstraction

abstract domain is symmetric sets of views
 galois connection is conceptually
straightforward; similar to [Lahiri & Bryant 04]


() = {View(s) | s and  is a view map}
thanks to a small model theorem & symmetry,
we can compute a best …
40
Small Model “cut-off”
number of concrete
processes in view
can be done away
With in certain
circumstances
m+ L + 1
number of existentially quantified
vars in protocol transition relation
 

(e.u.0 )  (q.1 )
41
Views
abstract domain is sets of views [Chou et al 04], which
are assignments to protocol vars with different typing
m a small constant (typically 2)
Pidm = {0,…,m-1}
Pidother = Pidm  {other}
type in protocol
Bool
type in view
Bool
Pid  Bool
Pid
Pidm  Bool
Pidmother
Pid  Pid
Pidm  Pidmother
42
Abstraction
Bool
Pid
0
Concrete state s
(with n=4)
Pid  Bool
1
2
3
2
other
0
1
Set of views (s)
1
other
0
other
43
Views (2/2) Replace this slide!!!
State of the form
array[other]
is abstracted
away
Pid vars
have type
{0,1,other}
p0
p1
pother
pother
m = 2 “concrete” processes
44
Small Model Theorem
view (m = 2)
arbitrarily large n
…
above can do any
“view transition”
iff below can
hence we  -abstract
these processes away
…
m+ L + 1
45
TODO…
46